Preparing and running the remediation scripts

Administrator Help | Forcepoint DLP | Version 8.5.x

STEP 1: Configure CopyFiles and MoveFiles

Navigate to the RunCommands subdirectory of the Forcepoint DLP installation directory and open the CopyFiles.py script in a text editor (like Notepad).

Use the Location field to define the destination of the copied files. This location may be either a network share (UNC path) accessible to all servers and/or endpoints running discovery, or a local path on the server and/or endpoints running discovery. For example:

Location = r'\\InfosecServer1\Quarantine'

Location = r'c:\secure\quarantine'.

Using a network location is usually recommended but might not be possible if you are performing endpoint discovery on endpoints that are not always connected to the corporate network. When performing endpoint discovery and choosing a local quarantine, be sure to exclude that folder from all the discovery tasks to avoid triggering incidents on the quarantine.

Notice that the remediation script does not perform any deletions from the quarantine location, so it is up to you to perform routine cleanup operations on this location.

Save and close the CopyFiles script.

In the same directory, open the MoveFiles.py script in a text editor.

Use the Location field to define the destination of the moved files. Refer to step 2 for requirements in this field.

The DaysKeepActiveFiles parameter defines the number of days to keep files.

QuarantineMsg is a stubbed file created by the MoveFiles script.

Save and close the MoveFiles script.

In the Data Security module of the Forcepoint Security Manager, go to the Main > Policy Management > Resources Remediation Scripts page.

Select New > Endpoint Script or Policy Script.

Enter a name and description for one of the discovery scripts.

10.

Browse to the appropriate script: CopyFiles.py or MoveFiles.py.

It is not necessary to complete the fields on the Linux tab of the Add Policy Remediation Script window.

11.

Enter a user name and password for an administrator that has all of the following:

Read permissions to the archive folder

Access to all directories in the network

Read/write privileges to all files scanned in the discovery.

CopyFiles needs read permissions to all scanned files, and read/write permission to the archive (quarantine) folder. MoveFiles also needs write permissions to all scanned files.

12.

Click OK.

STEP 2: Add the remediation scripts to an action plan

In the Data Security module of the Forcepoint Security Manager, go to the Main > Policy Management > Resources > Action Plans page.

Select an action plan or select New from the toolbar.

On the Discovery tab, do one of the following:

Select Run remediation script, then select the script.

Select Run endpoint remediation script, then select the script to run for endpoint discovery.

Click OK.

STEP 3: Add the action plan to a policy

In the Data Security module of the Forcepoint Security Manager, go to the Main > Policy Management > Discovery Policies page.

Select the rule of interest and click Edit.

Navigate to the Severity & Action page.

Select the action plan.

Click OK.

STEP 4: Deploy your changes

The remediation script will run when discovery incidents are triggered on the selected policy.


	Note If remediation scripts will access shares that are under a Active Directory domain, the Forcepoint DLP server must also be part of the domain, as well.