Adding a new message

Administrator Help | Forcepoint DLP | Version 8.8.2

Use the Resources > Notifications > Notification Details page to define notification messages.

To access this page, click New in the toolbar at the top of the content pane on the Notifications page.

Enter a Name for this notification template, such as "Breach notification".

Enter a Description for the template.

Enter the Sender name that appears in the email From field when notifications are sent. The maximum length is 1024 characters.

Enter the Sender email address: the email address of the person from whom notifications should be sent. The maximum length is 1024 characters.

If you are using Exchange Online, a valid sender email address must be used.

Information for the currently configured outgoing mail server is displayed. To change the server used, see Mail servers.

Enter a Subject for the notification. This appears in the email Subject: line. The maximum length is 4000 characters.

Click the right arrow to select variables to include in the subject, such as "This is to notify you that your message was %Action% because it breached corporate policy."

Define one or more Recipients for the notification.

Click Edit to select to select business units or directory entries.

Select Additional email addresses, then click the right arrow to select a dynamic recipient that varies according to the incident. For example, you can choose to send the notification to the policy owners, administrators, source, or source's manager. Select the variable that applies, such as %Policy Owners%. Separate multiple addresses with commas.

For mobile incidents, do not send notifications to senders or senders' managers. The incident was a result of someone synchronizing email to a mobile device; the message may have been permitted otherwise.

Notifications can be sent only to people in your domain. If a recipient is out of your organization, the notification is not sent, no matter what is configured in a rule or action plan.

On the Notification Body tab

Select a notification Type:

Select Standard to include all of the elements shown in the Body Content box. You can enable or disable these elements if you use the standard notification type.

Select Custom to send a custom notification. Edit the default text as needed. The drop-down menu provides variables.

Select a display format from the Display as drop-down list: HTML or plain text.

Select from the following display options:

Select Logo to display the Forcepoint logo, date, and time.

Select Action to displays the action taken when the breach was discovered.

Select Message to user, then update the text as needed. The result is displayed in the email body. Click the right-arrow icon to see a list of variables that may be included in the message.

Select Incident details to include incident details in the notification message.

Select Violation triggers to attach a list of rules violated by the breach.

Select Include links so that recipients can perform operations on the incident to include links that administrators can use to perform workflow operations on the incident (like assign, ignore, and escalate) directly from the notification. (See sample links below.)

Administrators can perform only the operations they have permission to perform from their role assignment.

Plain text notifications do not show links.

To support this feature, create an email account for the Forcepoint DLP system in Exchange. To avoid reconfiguration, make sure the credentials assigned to this mailbox do not expire. Once done, navigate to Settings > General > Mail Servers and configure the incoming mail server. Use this mailbox for the system email address.

Select Allow recipients to release quarantined email from this notification to give message recipients the ability to release blocked messages by replying to their notification message or by clicking the Release All link within the message.

See Releasing blocked email in Forcepoint DLP on the Forcepoint support site for instructions on setting up the release by reply capability. You must configure options in both Forcepoint DLP and Microsoft Exchange to enable it.


	Important To include links in notifications or to allow recipients to release messages, you must configure the incoming mail server to use to receive these requests. To do so, click Mail Server Settings on the toolbar. See Mail servers for more information.

Select Attach policy-breach content to include the content that violated policy as an attachment to the message.

Click OK to save your changes.

The following example shows what recipients see at the bottom of their notification message. Here, they can perform workflow actions on the incident and release the quarantined content.

Each link opens a window used to compose a message to the system's notification server. This is how the workflow operation is communicated to the management server.

For example, if a recipient clicks the link to change the status of an incident to High, an email message opens like this:

A default message is drafted, but the sender can add comments to display on the History tab of the incidents report.

Do not delete the Comments section, even if there are no added comments.

If there are custom comments, do not modify the To: field or the encryption codes at the bottom of the message.

Without the encryption codes, workflow is not modified.

Click Send to notify the system of your request.

Successful changes are shown on the incident's History tab.This includes the name of the administrator who performed the action, any comments that were added, and the action taken.

If there is an error processing the workflow request, an error message is sent or the error is saved in the syslog. Syslog errors are logged if the system experiences an internal error.