Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Defining Resources > Remediation > Remediation scripts
Remediation scripts
Administrator Help | Forcepoint DLP | Version 8.7.x
Related topics:
*
Adding a new remediation script
*
Incident XML interface for use in remediation scripts
Remediation scripts extend the functionality of discovery and data loss prevention.
A remediation script is an executable run by a policy engine or endpoint agent whenever an incident is triggered.
A remediation script is considered a resource. Configure remediation scripts on the Resources > Remediation Scripts page in the Data Security module of the Forcepoint Security Manager. Use this page to identify and manage the external scripts to run when various breaches are discovered.
Types of remediation scripts
There are 3 types of remediation scripts:
*
An Endpoint Script runs automatically when endpoint incidents are triggered. Because the script is run on an endpoint device, it should have minimal CPU and disk space requirements. In addition, the script should not assume the endpoint computer is part of the network, and it should be smaller than 5 MB.
*
An Incident Management Script runs on incidents selected in the Incident Report. To activate this script:
1.
Open an incident on the Main > Reporting > Data Loss Prevention > Incidents page.
2.
Click Remediate > Run Remediation Script in the toolbar at the top of the content pane.
3.
Select which script to run.
The script can be used to automate tasks such as opening a CRM case. It is not executed automatically.
*
A Policy Script runs automatically when data loss prevention and discovery incidents are triggered. For example, the script might encrypt data detected in discovery breaches or perform an action in a DRM system. Because the script is associated with the network server, it can be larger and more demanding of CPU resources, and it can make use of other tools in the network.
The system provides 3 scripts for network file system and endpoint discovery. These scripts can be used to copy or move content detected in breaches. See Copying or moving discovered files for details.
For information on writing your own scripts, see Creating Remediation Scripts.
Incident XML interface for use in remediation scripts
Forcepoint DLP creates an XML file every time an incident is generated. The XML file contains incident details that can be used in remediation scripts, such as the nature of the violation and the content itself.
At run time, your script receives the path to the XML file as an input. Your script can parse this XML file and perform addition actions based on the incident details, such as logging to an external system or custom analysis.
The XML Schema Definition (XSD) for this file is shown below:
In this schema:
Element
Description
analysisDetails
Root element.
transactionID
The internal transaction ID (unique ID that the system generates for every analyzed transaction).
action
The action taken (for example, permit or deny).
actionDetails
The action taken per destination.
violations
The detected violations, including the policy name and content.
name
Descriptive policy name
detectedValues
The matched sensitive content and its location (for example, email body or file attachment).

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Defining Resources > Remediation > Remediation scripts
Copyright 2020 Forcepoint. All rights reserved.