Adding or editing an action plan

Administrator Help | Forcepoint DLP | Version 8.5.x

Use the Policy Management > Resources > Action Plans > Action Plan Details page to create or edit an action plan.

To access this page, do one of the following:

Click New in the toolbar at the top of the content pane on the Action Plans page.

Click the name of an action plan in the list on the Action Plans page.

To create or edit an action plan:

Enter or update the Name and Description for the action plan.

The remaining options on the page vary based on subscription l. See the appropriate section for your subscription:

Standard Forcepoint DLP options

Forcepoint Data Discovery options

Forcepoint Web Security mode

Forcepoint Email Security mode

Standard Forcepoint DLP options

On the Data Loss Prevention tab, complete the fields as follows. See Possible actions for an action plan for a description of each possible action.

Under Network Channels:


Action	Description
Email	Select an action to take when a breach is discovered on network email channels.
Mobile email	Select an action to take when a breach is discovered in content being sent to a user's mobile device.
FTP	Select an action to take when a breach is discovered over FTP.
HTTP/HTTPS	Select an action to take when a breach is discovered over HTTP or secure HTTP.
Chat	Select an action to take when a breach is discovered over chat.
Plain text	Select an action to take when a breach is discovered via plain text.

Under Endpoint Channels:


Action	Description
Email	Select an action to take when a breach is discovered on endpoint email. You cannot release endpoint email; therefore, you can only block messages, not quarantine them.
Application control	Select an action to take when a breach is discovered on an endpoint application such as Word.
Removable media	Select an action to take when a breach is discovered on an endpoint device such as a thumb drive.
HTTP/HTTPS	Select an action to take when a breach is discovered on an endpoint device over HTTP or secure HTTP.
LAN	Select an action to take when a breach is discovered on an endpoint LAN, such as when a user copies sensitive data from a workstation to a laptop.
Printing	Select an action to take when a breach is discovered on a local or network printer that is connected to an endpoint.

For Cloud Channels, use the CASB service drop-down list to select an action to take when an incident involves files uploaded to, downloaded from, or used by a cloud application.

Select Permit to allow files to be uploaded, synchronized, downloaded, shared, and so on.

Select Safe copy to keep a copy of the file in the cloud archive that is accessible only to administrators.

Select Quarantine to save the file in a quarantine folder defined in the CASB portal.

Select Quarantine with note to quarantine the file and leave a message in place of the original file.

Select Unshare internal to remove sharing permissions for any internal address.

Select Unshare external to remove sharing permissions for any external address.

Select Unshare all to remove all sharing permissions from the file.

By default, all incidents are audited. Clear the Audit incident check box if you do not want to audit incidents.


	Warning If you turn off this option, incidents are not logged, so you will not know when a policy is breached.

When Audit incident is select, also select one or more of the following options:

Select Include forensics to include information about the transaction that resulted in the incident, such as the contents of an email body: From:, To:, Cc: fields; attachments, URL category, hostname, file name, and more.

Forensics display in the incident report.

Select Run remediation script to have the system run a script when an incident is discovered, then select the script to use from the drop-down list. See Remediation scripts for more information.

Select Run endpoint remediation script to have the system run an endpoint remediation script when an incident is discovered, then select the script to use from the drop-down list.

Select Send syslog message to notify an outside syslog server or ticketing system of the incident.

Select Send email notifications to send an email message to a designated recipient when a policy is breached.

Select the message or messages to send.

Click a link to view or modify standard messages.

Click New to create a custom message.

See Notifications and Adding a new message for details.


	Tip There is a benefit to using the same template for each action plan. The system gathers notifications for individual users according to templates and combines them into a single notification. So if an incident contains 10 different rules, each with a different action plan but the same template, the user receives a single notification with the details of all the breaches.

To configure discovery options, continue to the next section. Otherwise, click OK to save the changes.

Forcepoint Data Discovery options

On the Discovery tab:

To have the system run a remediation script for network discovery incidents, select Run remediation script, then select a script from the drop-down list. See Remediation scripts.

Under Endpoint Discovery, if classification tagging is enabled for the deployment, mark Add classification tag to specify the tag or tags to apply to files.

Tags will be added only to files that meet the conditions set on the Settings > General > Services > Classification Tagging page. (See Configuring classification tagging.)

Classification tagging must be enabled for this option to display in the action plan.

If classification tagging is enabled in the action plan, enter up to two Tag label and Value pairs.

Each label and value must already exist in the classification tagging system in order for Forcepoint Data Discovery to add a tag to files.

To have the system run an endpoint remediation script for endpoint discovery incidents, select Run endpoint remediation script, then select a script from the drop-down list.

Remediation scripts can be added on the Main > Policy Management > Resources > Remediation Scripts page. Select New > Endpoint Script.

Click OK to save the changes.

Forcepoint Web Security mode

Select the Action to take when a user is breaching policy:

Permit or allow the HTTP, HTTPS, or FTP request to go through.

Block or deny the request.

Select Audit incident to have Forcepoint DLP to log incidents. When logging is enabled, email notifications are also available.

Select Send email notifications to send an email message to a designated recipient when a policy is breached.

Select the message or messages to send.

Click a link to view or modify standard messages.

Click New to create a custom message.

See Notifications and Adding a new message for details.


	Tip There is a benefit to using the same template for each action plan. The system gathers notifications for individual users according to templates and combines them into a single notification. So if an incident contains 10 different rules, each with a different action plan but the same template, the user receives a single notification with the details of all the breaches.

Click OK to save your changes.

Forcepoint Email Security mode

Under Email, select an action to take when a breach is discovered on network email channels.

With Forcepoint Email Security (on-premises), the action option configured here applies to all email directions.

For cloud infrastructure deployments such as Microsoft Azure, this option applies only to outbound email. (Inbound and Internal email is permitted, and an alert is sent to the Forcepoint Email Security administrator.)

Permit the message to go through.

Block or deny the message or post.

Quarantine the message.

Select Encrypt on release to have the system encrypt the message before it's released.

Drop attachments that are in breach of policy. Quarantines email messages that:

Have a body breach, but not an attachment breach.

Have breaches in both the message body and attachment.

Are detected by agents other than Forcepoint Email Security, such as the protector.

Fail to drop attachments when indicated.


	Note In a uuencoded attachment, additional content is placed between the attachments, including the attachment name. As a result, if a violation is found in a uuencoded attachment, the attachment is treated as email body and blocked, rather than dropped.

Select Encrypt on release to have quarantined messages encrypted before they're released. If an attachment has been dropped, this option reattaches it and encrypts both the body and attachment before releasing the message.

(Incidents are released when an administrator selects Remediate > Release on the incident details toolbar.)

Encrypt the message.


	Tip Custom actions can also be created in the Email Security module of the Forcepoint Security Manager, specifically for email DLP policies. (Go to the Policy Management > Actions page, then click Add.) Custom actions offer more control over what happens to email that leaks sensitive data. For example, Bcc the original unfiltered message, delay message delivery until a certain date, and so on. Any custom Forcepoint Email Security actions are displayed here, in addition to the default actions.

Select Audit incident to have Forcepoint DLP to log incidents in the incident database. By default, audit is selected irrespective of the action.


	Warning If you turn off this option, incidents are not logged, so you will not know when a policy is breached.

When Audit incident is enabled, several additional actions are available. Select any of these actions to apply.

If you select Send email notifications:

Select the message or messages to send.

Click a link to view or modify standard messages.

Click New to create a custom message.

See Notifications and Adding a new message for details.


	Tip There is a benefit to using the same template for each action plan. The system gathers notifications for individual users according to templates and combines them into a single notification. So if an incident contains 10 different rules, each with a different action plan but the same template, the user receives a single notification with the details of all the breaches.

Click OK to save your changes.