Adding a new action plan

Administrator Help | Forcepoint DLP | Version 8.4.x

Use the Policy Management > Resources > Action Plans > Action Plan Details page to create or edit an action plan.

To access this page, click New in the toolbar at the top of the content pane on the Action Plans page.

To create an action plan:

Enter a Name and Description for the action plan.

The remaining options on the page vary based on subscription level. See the appropriate section for your subscription:

Standard Forcepoint DLP options

Forcepoint Web Security mode

Forcepoint Email Security mode

Standard Forcepoint DLP options

On the Data Loss Prevention tab, complete the fields as follows. See Possible actions for an action plan for a description of each possible action.

Under Network Channels:


Action	Description
Email	Select an action to take when a breach is discovered on network email channels.
Mobile email	Select an action to take when a breach is discovered in content being sent to a user's mobile device.
FTP	Select an action to take when a breach is discovered over FTP.
HTTP/HTTPS	Select an action to take when a breach is discovered over HTTP or secure HTTP.
Chat	Select an action to take when a breach is discovered over chat.
Plain text	Select an action to take when a breach is discovered via plain text.

Under Endpoint Channels:


Action	Description
Email	Select an action to take when a breach is discovered on endpoint email. You cannot release endpoint email; therefore, you can only block messages, not quarantine them.
Application control	Select an action to take when a breach is discovered on an endpoint application such as Word.
Removable media	Select an action to take when a breach is discovered on an endpoint device such as a thumb drive.
HTTP/HTTPS	Select an action to take when a breach is discovered on an endpoint device over HTTP or secure HTTP.
LAN	Select an action to take when a breach is discovered on an endpoint LAN, such as when a user copies sensitive data from a workstation to a laptop.
Printing	Select an action to take when a breach is discovered on a local or network printer that is connected to an endpoint.

For Cloud Channels, use the File sync and sharing drop-down list to select an action to take when a breach is discovered during file sync or sharing with a cloud service, such as OneDrive for Business or Box.

Select Permit to allow files to be synchronized or shared.

Select Delete file to permanently erase the file that users are trying to sync or share. When a file is deleted, it cannot be recovered.

By default, all incidents are audited. Clear the Audit incident check box if you do not want to audit incidents.


	Warning If you turn off this option, incidents are not logged, so you will not know when a policy is breached.

When Audit incident is select, also select one or more of the following options:

Select Include forensics to include information about the transaction that resulted in the incident, such as the contents of an email body: From:, To:, Cc: fields; attachments, URL category, hostname, file name, and more.

Forensics display in the incident report.

Select Run remediation script to have the system run a script when an incident is discovered, then select the script to use from the drop-down list. See Remediation scripts for more information.

Select Run endpoint remediation script to have the system run an endpoint remediation script when an incident is discovered, then select the script to use from the drop-down list.

Select Send syslog message to notify an outside syslog server or ticketing system of the incident.

Select Send email notifications to send an email message to a designated recipient when a policy is breached.

Select the message or messages to send.

Click a link to view or modify standard messages.

Click New to create a custom message.

See Notifications and Adding a new message for details.


	Tip There is a benefit to using the same template for each action plan. The system gathers notifications for individual users according to templates and combines them into a single notification. So if an incident contains 10 different rules, each with a different action plan but the same template, the user receives a single notification with the details of all the breaches.

If you subscribe to Forcepoint DLP Discovery, click the Discovery tab, then:

To have the system run a remediation script when an incident is discovered, select Run remediation script, then select a script from the drop-down list. See Remediation scripts.

To have the system run an endpoint remediation script when an incident is discovered, select Run endpoint remediation script, then select a script from the drop-down list.

Click OK to save your changes.

Forcepoint Web Security mode

Select the Action to take when a user is breaching policy:

Permit or allow the HTTP, HTTPS, or FTP request to go through.

Block or deny the request.

Select Audit incident to have Forcepoint DLP to log incidents. When logging is enabled, email notifications are also available.

Select Send email notifications to send an email message to a designated recipient when a policy is breached.

Select the message or messages to send.

Click a link to view or modify standard messages.

Click New to create a custom message.

See Notifications and Adding a new message for details.


	Tip There is a benefit to using the same template for each action plan. The system gathers notifications for individual users according to templates and combines them into a single notification. So if an incident contains 10 different rules, each with a different action plan but the same template, the user receives a single notification with the details of all the breaches.

Click OK to save your changes.

Forcepoint Email Security mode

Under Email, select an action to take when a breach is discovered on network email channels.

With Forcepoint Email Security (on-premises), the action option configured here applies to all email directions.

For cloud infrastructure deployments such as Microsoft Azure, this option applies only to outbound email. (Inbound and Internal email is permitted, and an alert is sent to the Forcepoint Email Security administrator.)

Permit the message to go through.

Block or deny the message or post.

Quarantine the message.

Select Encrypt on release to have the system encrypt the message before it's released.

Drop attachments that are in breach of policy. Quarantines email messages that:

Have a body breach, but not an attachment breach.

Have breaches in both the message body and attachment.

Are detected by agents other than Forcepoint Email Security, such as the protector.

Fail to drop attachments when indicated.


	Note In a uuencoded attachment, additional content is placed between the attachments, including the attachment name. As a result, if a violation is found in a uuencoded attachment, the attachment is treated as email body and blocked, rather than dropped.

Select Encrypt on release to have quarantined messages encrypted before they're released. If an attachment has been dropped, this option reattaches it and encrypts both the body and attachment before releasing the message.

(Incidents are released when an administrator selects Remediate > Release on the incident details toolbar.)

Encrypt the message.


	Tip Custom actions can also be created in the Email Security module of the Forcepoint Security Manager, specifically for email DLP policies. (Go to the Policy Management > Actions page, then click Add.) Custom actions offer more control over what happens to email that leaks sensitive data. For example, Bcc the original unfiltered message, delay message delivery until a certain date, and so on. Any custom Forcepoint Email Security actions are displayed here, in addition to the default actions.

Select Audit incident to have Forcepoint DLP to log incidents in the incident database. By default, audit is selected irrespective of the action.


	Warning If you turn off this option, incidents are not logged, so you will not know when a policy is breached.

When Audit incident is enabled, several additional actions are available. Select any of these actions to apply.

If you select Send email notifications:

Select the message or messages to send.

Click a link to view or modify standard messages.

Click New to create a custom message.

See Notifications and Adding a new message for details.


	Tip There is a benefit to using the same template for each action plan. The system gathers notifications for individual users according to templates and combines them into a single notification. So if an incident contains 10 different rules, each with a different action plan but the same template, the user receives a single notification with the details of all the breaches.

Click OK to save your changes.