Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Defining Resources > Remediation > Action Plans > Adding a new action plan
Adding a new action plan
Administrator Help | TRITON AP-DATA | Version 8.3.x
The procedure for adding an action plan varies depending on your subscription. You may see:
*
Standard options
*
TRITON AP-WEB mode
*
TRITON AP-EMAIL mode
Standard options
1.
Click New.
2.
Enter an action plan name and description.
3.
On the Data Loss Prevention tab, complete the fields as follows. See Possible actions for a description of each possible action.
 
Action
Description
Network Channels
Email
Select an action to take when a breach is discovered on network email channels.
Mobile email
Select an action to take when a breach is discovered in content being sent to a user's mobile device.
FTP
Select an action to take when a breach is discovered over FTP.
HTTP/HTTPS
Select an action to take when a breach is discovered over HTTP or secure HTTP.
Chat
Select an action to take when a breach is discovered over chat.
Plain text
Select an action to take when a breach is discovered via plain text.
Endpoint Channels
Email
Select an action to take when a breach is discovered on endpoint email. You cannot release endpoint email; therefore, you can only block messages, not quarantine them.
Application control
Select an action to take when a breach is discovered on an endpoint application such as Word.
Removable media
Select an action to take when a breach is discovered on an endpoint device such as a thumb drive.
HTTP/HTTPS
Select an action to take when a breach is discovered on an endpoint device over HTTP or secure HTTP.
LAN
Select an action to take when a breach is discovered on an endpoint LAN, such as when a user copies sensitive data from a workstation to a laptop.
Printing
Select an action to take when a breach is discovered on a local or network printer that is connected to an endpoint.
Cloud Channels
File sync and sharing
Select an action to take when a breach is discovered during file sync or sharing with a cloud service such as OneDrive for Business.
You can Permit the file to be synced or shared, or you can Delete it. When a file is deleted, it cannot be recovered.
Auditing
Audit incident
Select this check box if you want the system to log incidents in the incident database.
Note:
If you disable this box, incidents are not logged, so you will not know when a policy is breached.
When Audit incident is enabled, several more options are made available. You can:
*
Run remediation script
*
Run endpoint remediation script
*
Send syslog message
*
Send email notifications
Include forensics
When you audit an incident, you can capture forensics if desired. Forensics include information about the transaction that resulted in the incident, such as the contents of an email body: From:,To:, Cc: fields; attachments, URL category, hostname, file name, and more.
Forensics display in the incident report.
Run remediation script
Select this check box if you want the system to run a remediation script when an incident is discovered, then select the script to use from the drop-down list. See Remediation scripts for more information.
Run endpoint remediation script
Select this check box if you want the system to run an endpoint remediation script when an incident is discovered, then select the script to use from the drop-down list.
Send syslog message
Select this check box if you want to notify an outside syslog server or ticketing system of the incident.
Send email notifications
Select this check box to send an email message to a designated recipient when a policy is breached. Select the message or messages to send. Click a link to view or modify standard messages. Click New to create a custom message. See Notifications and Adding a new message for details.
Tip: There is a benefit to using the same template for each action plan. The system gathers notifications for individual users according to templates and combines them into a single notification. So if an incident contains 10 different rules, each with a different action plan but the same template, the user receives a single notification with the details of all the breaches.
Possible actions
The actions available for each channel depend on the channel. Possible actions include:
Action
Description
Permit
Allow data to be maneuvered based on your selection —for example, allow it to be printed or posted to a website.
Block
Deny or block data from being printed, posted, or emailed, depending on your selection.
Quarantine
Quarantine email messages containing sensitive data. Network email can be encrypted before it's released. Select Encrypt on release to enable this feature.
Note:
When a mobile email message is released from quarantine, it is sent to the mobile device the next time the device is connected to the network.
Drop attachments
*
Drops email attachments that are in breach of policy.
*
Applies to messages detected by the TRITON AP-EMAIL module.
*
Applies to rules that monitor data in "each part separately."
*
Quarantines email messages that:
*
Have a body breach, but not an attachment breach.
*
Have breaches in both the message body and attachment.
*
Are detected by agents other than TRITON AP-EMAIL, such as the protector.
*
Are detected when rules are monitoring data in "the transaction as a whole."
*
Fail to drop attachments when indicated.
Note:
If a violation is found in a UUencoded attachment, the attachment is treated as email body and blocked rather than dropped. This is because additional content is placed between the attachments, including the attachment name.
(UNIX-to-UNIX encoding (UUencoding) is a utility that most email applications use for encoding and decoding files.)
Select Encrypt on release if you want quarantined messages to be encrypted before they're released. If an attachment has been dropped, this option reattaches it and encrypts both the body and attachment before releasing the message.
To release an incident, an administrator selects Remediate > Release on the incident details toolbar.
Encrypt
Encrypt the affected email message.
With TRITON AP-DATA agents and the TRITON AP-EMAIL module (on-premises mode), this option applies to all email directions.
For cloud infrastructure deployments such as Microsoft Azure, this option applies only to outbound email. (Inbound and Internal email is permitted, and an alert is sent to the TRITON AP-EMAIL administrator.)
Encrypt with profile key
Removable media only. Encrypts sensitive data for users who will be on authorized, endpoint machines. Passwords are set by administrators and deployed via profiles. Decryption is automatic if the files are accessed on the endpoints.
Encrypt with user password
Windows removable media only. Encrypts sensitive data for users who will be decrypting files from other machines (those without the endpoint agent installed). Passwords are set by endpoint users. Files are decrypted using a special utility.
Note that if the user has not yet configured a password when the first breach is detected, the system prompts the user for a password and then blocks the operation. The encryption action is not performed until subsequent transactions.
This option is not supported on Mac or Linux endpoints. Removable media transactions are permitted on Mac and Linux when this option is selected.
Confirm
Display a confirmation message, such as the following when a security threat is detected:
TRITON AP-ENDPOINT DLP has detected that you're trying to copy sensitive data to a removable drive, which appears to be in violation of corporate policy. Do you want to continue?
Users can continue if they enter a business reason for the operation, or they can cancel. If they cancel or wait too long, the default action is taken.
To configure the default action, navigate to Settings > General > Endpoint and select Block or Permit on the General tab.
By default, all incidents are audited. De-select the Audit incident check box if you do not wish to audit incidents.
If you subscribe to TRITON AP-DATA Discover, click the Discovery tab and complete the fields as follows:
 
Field
Description
Run remediation script
Select this check box if you want the system to run a remediation script when an incident is discovered, then select the script to use from the drop-down list. See Remediation scripts for more information.
Run endpoint remediation script
Select this check box if you want the system to run an endpoint remediation script when an incident is discovered, then select the script to use from the drop-down list.
1.
Click OK to save your changes.
TRITON AP-WEB mode
1.
Click New.
2.
Enter an action plan name and description.
3.
Complete the remaining fields as follows:
 
Field
Description
Action
Select the action to take when a user is breaching policy:
*
Permit - Allow the HTTP, HTTPS, or FTP request to go through.
*
Block - Block the request.
Audit incident
Select this check box if you want TRITON AP-DATA to log incidents in the audit log. When the audit log is enabled, you can also send email notifications.
Send email notifications
Select this check box to send an email message to a designated recipient when a policy is breached. Select the message or messages to send. Click a link to view or modify standard messages. Click New to create a custom message. See Notifications and Adding a new message for details.
Tip: There is a benefit to using the same template for each action plan. The system gathers notifications for individual users according to templates and combines them into a single notification. So if an incident contains 10 different rules, each with a different action plan but the same template, the user receives a single notification with the details of all the breaches.
4.
Click OK to save your changes.
TRITON AP-EMAIL mode
1.
Click New.
2.
Enter an action plan name and description.
3.
Complete the remaining fields as follows:
Field
Description
Email
Select an action to take when a breach is discovered on network email channels.
*
Permit - Let the message through.
*
Block - Deny or block the message or post.
*
Quarantine - Quarantine the message. Select Encrypt on release if you want the message to be encrypted before it's released.
*
Drop attachments - Drops email attachments that are in breach of policy. Quarantines email messages that:
*
Have a body breach, but not an attachment breach.
*
Have breaches in both the message body and attachment.
*
Are detected by agents other than TRITON AP-EMAIL, such as the protector.
*
Fail to drop attachments when indicated.
NOTE: If a violation is found in a UUencoded attachment, the attachment is treated as email body and blocked rather than dropped. This is because additional content is placed between the attachments, including the attachment name.
Select Encrypt on release if you want quarantined messages to be encrypted before they're released. If an attachment has been dropped, this option reattaches it and encrypts both the body and attachment before releasing the message.
To release an incident, an administrator selects Remediate > Release on the incident details toolbar.
*
Encrypt - Encrypt the message.
In addition, you can create custom actions in the Email Security manager just for DLP policies. This gives you much more control over what happens to email that leaks sensitive data. For example, you can Bcc the original unfiltered message, delay message delivery until a certain date, or use IP address.
Custom TRITON AP-EMAIL actions are displayed here as well for your selection.
To create an action in the Email Security manager, select Policy Management > Actions, click Add, then indicate that the action is to be used by DLP policies only.
With TRITON AP-EMAIL (on-premises mode), the Action option applies to all email directions.
For cloud infrastructure deployments such as Microsoft Azure, this option applies only to outbound email. (Inbound and Internal email is permitted, and an alert is sent to the TRITON AP-EMAIL administrator.)
Audit incident
Select this check box if you want TRITON AP-DATA to log incidents in the incident database. By default, audit is selected irrespective of the action. If however, you deselect this check box, but choose a block action, then this option is not enabled.
Note:
If you disable this box, incidents are not logged, so you will not know when a policy is breached.
When Audit incident is enabled, several more options are made available. You can:
*
Run remediation script
*
Run endpoint remediation script
*
Send syslog message
*
Send email notifications
Send email notifications
Select this check box to send an email message to a designated recipient when a policy is breached. Select the message or messages to send. Click a link to view or modify standard messages. Click New to create a custom message. See Notifications and Adding a new message for details.
Tip: There is a benefit to using the same template for each action plan. The system gathers notifications for individual users according to templates and combines them into a single notification. So if an incident contains 10 different rules, each with a different action plan but the same template, the user receives a single notification with the details of all the breaches.
4.
Click OK to save your changes.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Defining Resources > Remediation > Action Plans > Adding a new action plan
Copyright 2016 Forcepoint LLC. All rights reserved.