Adding or editing an action plan

Administrator Help | Forcepoint DLP | Version 8.7.x

Use the Policy Management > Resources > Action Plans > Action Plan Details page to create or edit an action plan.

There are several ways to access the Action Plan Details page:

From the toolbar at the top of the content pane on the Action Plans page, click New.

From the list on the Action Plans page, click the name of an action plan.

In the Custom Policy wizard, on the Severity & Action tab, click the New or Edit icon next to the name of an Action Plan.

To create or edit an action plan:

Enter or update the Name and Description for the action plan.

The remaining options on the page vary based on subscription. See the appropriate section for your subscription:

Standard Forcepoint DLP options

Forcepoint Data Discovery options

Forcepoint Web Security mode

Forcepoint Email Security mode

Standard Forcepoint DLP options

On the Data Loss Prevention tab, complete the fields as follows. See Possible actions for an action plan for a description of each possible action.

Under Network Channels:


Action	Description
Email	Select an action to take when a breach is discovered on network email channels.
Mobile email	Select an action to take when a breach is discovered in content being sent to a user's mobile device.
FTP	Select an action to take when a breach is discovered over FTP.
HTTP/HTTPS	Select an action to take when a breach is discovered over HTTP or secure HTTP.
Chat	Select an action to take when a breach is discovered over chat.
Plain text	Select an action to take when a breach is discovered via plain text.

Under Endpoint Channels:


Action	Description
Email	Select an action to take when a breach is discovered on endpoint email. You cannot release endpoint email; therefore, you can only block messages, not quarantine them.
Application control	Select an action to take when a breach is discovered on an endpoint application such as Word.
Removable media	Select an action to take when a breach is discovered on an endpoint device such as a thumb drive.
HTTP/HTTPS	Select an action to take when a breach is discovered on an endpoint device over HTTP or secure HTTP.
LAN	Select an action to take when a breach is discovered on an endpoint LAN, such as when a user copies sensitive data from a workstation to a laptop.
Printing	Select an action to take when a breach is discovered on a local or network printer that is connected to an endpoint.

Under Cloud Channels, there are two channels: DLP Cloud Proxy and DLP Cloud API.

For DLP Cloud Proxy, select from the drop-down list to select an action to take when an incident involves files uploaded, attached, or downloaded from a cloud application.

Select Permit to allow files to be uploaded, attached, or downloaded.

Select Block to prevent the user action.


	Note When Block is applied, some desktop cloud applications might perform multiple retries to sync with the cloud service, and potentially malfunction. If this happens, multiple incidents might be received by the DLP system.

For DLP Cloud API, select from the drop-down list to select an action to take when an incident involves files uploaded to, downloaded from, or used by a cloud application.

Select Permit to allow files to be uploaded, synchronized, downloaded, or shared.

Select Safe copy to keep a copy of the file in the cloud archive that is accessible only to administrators.

Select Quarantine to save the file in a quarantine folder defined in the CASB portal.

Select Quarantine with note to quarantine the file and leave a message in place of the original file.

Select Unshare internal to remove sharing permissions for any internal address.

Select Unshare external to remove sharing permissions for any external address.

Select Unshare all to remove all sharing permissions from the file.

By default, all incidents are audited. Clear the Audit incident check box if you do not want to audit incidents.


	Warning If you turn off this option, incidents are not logged, so you will not know when a policy is breached.

When Audit incident is selected, select one or more of the following additional options:

Select Include forensics to include information about the transaction that resulted in the incident, such as the contents of an email body: From:, To:, Cc: fields; attachments, URL category, hostname, file name, and more.

Forensics display in the incident report.

Select Run remediation script to have the system run a script when an incident is discovered, then select the script to use from the drop-down list. See Remediation scripts for more information.

Select Run endpoint remediation script to have the system run an endpoint remediation script when an incident is discovered, then select the script to use from the drop-down list.

Select Send syslog message to notify an outside syslog server or ticketing system of the incident.

Select Send email notifications to send an email message to a designated recipient when a policy is breached.

Select the message or messages to send.

Click a link to view or modify standard messages.

Click New to create a custom message.

See Notifications and Adding a new message for details.


	Tip There is a benefit to using the same template for each action plan. The system gathers notifications for individual users according to templates and combines them into a single notification. Therefore, if an incident contains 10 different rules, each with a different action plan but the same template, the user receives a single notification with the details of all the breaches.

To configure discovery options, continue to the next section. Otherwise, click OK to save the changes.

Forcepoint Data Discovery options

Enter the following information in the Discovery tab:

In the Network Discovery section, select Run remediation script when you want the system to run a remediation script for network discovery incidents. Select a script from the associated drop-down list. See Remediation scripts.

In the Endpoint Discovery section, if file labeling is enabled for deployment, it can be selected from the Labeling system drop-down list. Specify up to two Boldon James Classifier labels and up to one Microsoft Information Protection label to apply to the files.

If labels are removed from the labeling system, an alert is shown under the removed labels. Select a new label from the drop-down list or clear the check box.

If the "No labels were found" message is displayed, import labels as described in Configuring file labeling.

Once a label is added, the action plan displays the following information for each label:

Labeling system

Selected label

Label properties (for example, "Marking" or "Protection" for Microsoft Information Protection labels)


	Note Make sure that only one labeling system is selected for an action plan. Forcepoint DLP supports use of only one labeling system at a time: Either Microsoft Information Protection or Boldon James, but not both.

Select Run endpoint remediation script when you want the system to run an endpoint remediation script for endpoint discovery incidents. Select a script from the associated drop-down list.

Remediation scripts can be added on the Main > Policy Management > Resources > Remediation Scripts page. Select New > Endpoint Script.

Under Cloud Discovery, select the Cloud service supported action from the drop-down list:

Select Audit only to monitor and record (audit) incidents.

Select Safe copy to keep a copy of the file in the cloud archive that is accessible only to administrators.

Select Quarantine to save the file in a quarantine folder defined in the CASB portal.

Select Quarantine with note to quarantine the file and leave a message in place of the original file.

Select Unshare internal to remove sharing permissions for any internal address.

Select Unshare external to remove sharing permissions for any external address.

Select Unshare all to remove all sharing permissions from the file.

Click OK to save the changes.

Forcepoint Web Security mode

Select the Action to take when a user is breaching policy:

Permit or allow the HTTP, HTTPS, or FTP request to go through.

Block or deny the request.

Select Audit incident to have Forcepoint DLP to log incidents. When logging is enabled, email notifications are also available.

Select Send email notifications to send an email message to a designated recipient when a policy is breached.

Select the message or messages to send.

Click a link to view or modify standard messages.

Click New to create a custom message.

See Notifications and Adding a new message for details.


	Tip There is a benefit to using the same template for each action plan. The system gathers notifications for individual users according to templates and combines them into a single notification. Therefore, if an incident contains 10 different rules, each with a different action plan but the same template, the user receives a single notification with the details of all the breaches.

Click OK to save your changes.

Forcepoint Email Security mode

Under Email, select an action to take when a breach is discovered on network email channels.

With Forcepoint Email Security (on-premises), the action option configured here applies to all email directions.

For cloud infrastructure deployments such as Microsoft Azure, this option applies only to outbound email. (Inbound and Internal email is permitted, and an alert is sent to the Forcepoint Email Security administrator.)

Permit the message to go through.

Block or deny the message or post.

Quarantine the message.

Select Encrypt on release to have the system encrypt the message before it's released.

Drop attachments that are in breach of policy. Quarantines email messages that:

Have a body breach, but not an attachment breach.

Have breaches in both the message body and attachment.

Are detected by agents other than Forcepoint Email Security, such as the protector.

Fail to drop attachments when indicated.


	Note In a uuencoded attachment, additional content is placed between the attachments, including the attachment name. As a result, if a violation is found in a uuencoded attachment, the attachment is treated as email body and blocked, rather than dropped.

Select Encrypt on release to have quarantined messages encrypted before they're released. If an attachment has been dropped, this option reattaches it and encrypts both the body and attachment before releasing the message.

(Incidents are released when an administrator selects Remediate > Release on the incident details toolbar.)

Encrypt the message.


	Tip Custom actions can also be created in the Email Security module of the Forcepoint Security Manager, specifically for email DLP policies. (Go to the Policy Management > Actions page, then click Add.) Custom actions offer more control over what happens to email that leaks sensitive data. For example, Bcc the original unfiltered message, delay message delivery until a certain date, and so on. Any custom Forcepoint Email Security actions are displayed here, in addition to the default actions.

Select Audit incident to have Forcepoint DLP to log incidents in the incident database. By default, audit is selected irrespective of the action.


	Warning If you turn off this option, incidents are not logged, so you will not know when a policy is breached.

When Audit incident is enabled, several additional actions are available. Select any of these actions to apply.

If you select Send email notifications:

Select the message or messages to send.

Click a link to view or modify standard messages.

Click New to create a custom message.

See Notifications and Adding a new message for details.


	Tip There is a benefit to using the same template for each action plan. The system gathers notifications for individual users according to templates and combines them into a single notification. Therefore, if an incident contains 10 different rules, each with a different action plan but the same template, the user receives a single notification with the details of all the breaches.

Click OK to save your changes.