Custom Policy Wizard - Severity and Action

Administrator Help | Forcepoint DLP | Version 8.6.x

Related topics:

Custom Policy Wizard - Source

Risk-Adaptive Protection

Configuring Risk-Adaptive Protection

Action Plans

Use the Severity & Action tab of the custom policy wizard to define when to trigger an incident:

Select Trigger an incident for every matched condition to trigger an incident every time a condition in the rule is matched. (For example, if a user sends an email message containing sensitive content, then prints the message, 2 incidents are generated.)

Select Accumulate matches before creating an incident to have the system collect matches for a particular source over time and create incidents when a threshold is met (drip DLP). The system remembers user activity and generates incidents for matches that occur within a defined period.

To configure either option, configure the first line in the Severity and Action Plan table:

Specify the incident severity:

Low - Incidents that match this rule are of low importance. The policy breach is minor.

Medium - Incidents that match this rule are of medium importance. The policy breach is moderate.

High - Incidents that match this rule are very important and warrant immediate attention. The policy breach is severe.

Select an action plan. Action plans are customizable.

Select Audit Only to monitor and record (audit) incidents.

Select Audit and Notify (default) to monitor and record incidents. In addition, if notifications are configured, generate notifications.

Select Block All to block and audit incidents. In addition, if notifications are configured, generate notifications.

Select Drop Email Attachments to remove email attachments that violate policy.

Select Audit Without Forensics to monitor and record incidents without recording forensic data.

Select Block Without Forensics to block and audit incidents without recording forensic data.

Define severity and action at a more granular level by selecting the second and third lines of the Severity and Action Plan table and selecting a severity and action plan for each line.

For example, when there are at least 10 matches (10 or more), select Medium as severity and Audit & Notify as action plan. When there are at least 20 matches, select High as severity and Block as action plan.


	Tip Start with an action plan of audit only. Once policies have been tuned, send notifications or use block actions, as needed.

Click the

icon to edit the action plan. Change the action for each channel, as needed. Editing an action plan changes it for all the rules that use it.

Click the

icon to create a new action plan. See Action Plans for details.

The action applies only to the match that exceeded the threshold—the one that created the incident—and subsequent matches. Initial matches are permitted.

Under the Severity and Action section, select how matches should be calculated:

Select greatest number of matched conditions to have the number of matches compared, and only the greatest number reported. For example, if there are 5 matches for the classifier "Confidential Pattern", 3 for "SSN Pattern", and 10 for "My Key Phrases", the number of matches would be defined as 10.

Select sum of all matched conditions to have the number of matches added together and the total reported. Given the same example as above, the number of matches would be defined as 18.

If you are using Risk-Adaptive Protection to determine actions according to the source's risk level, select an action plan for each one of the risk levels (1-5). When the rule is triggered the action plan that will be executed will be the one that was defined for the risk level of the user as determined by Forcepoint UEBA.

Click the Add button (

) to create a new action plan and add it to all risk-level action-plan lists. You can then select the new action plan for each risk level.

See Risk-Adaptive Protection and Configuring Risk-Adaptive Protection.


	Note The Risk-Adaptive Protection section only affects users that were defined as risk-adaptive users (see Custom user directory groups and Custom users pages on how to define such users.)

When the "Accumulate matches" option is selected, also configure:

How to count matches:

Count incident transactions as they accumulate for a given source, even though each incident can have multiple triggers.

Count unique matches to count violation triggers that accumulate for a source, but only triggers that are unique.

If, for example, there is a rule that does not permit 10 different credit card numbers to be sent within 1 hour:

If a user sends 1 message with 20 credit card numbers, 1 violation trigger is counted.

If the user sends 20 email messages with the same credit card number, no triggers are counted, because the numbers were not unique.

Note that case differences are counted separately in word-related classifiers--for example, word, Word, and WORD.

Count all matches (default) that accumulate for a source, even duplicates. In the example above, even if the user sent 20 messages with the same credit card number, 20 triggers are counted.

Matches and transactions are counted individually for each source, such as user name or IP address, and they are counted only on the policy engine that detects them. Incidents are generated only when the threshold is met on a single policy engine.

Select a time period for accumulating matches. The time period is a sliding window. It resets every time a match is detected.

Use the Where there are at least field to define the threshold for triggering an incident. For example, trigger an incident when there are at least 3 matches (3 or more).

If the threshold is not met, the match count is 0.

Use the The rate of matches should decline... field to specify how long the system should continue counting matches once the rate begins to decline.

As long as the system continues to detect the configured number of matches over the configured period, it continues to accumulate the matches in the same incident.