Exception Wizard - Severity & Action

Administrator Help | Forcepoint DLP | Version 8.8

Related topics:

Custom Policy Wizard - Severity and Action

Risk-Adaptive Protection

Analytics

Use the Severity & Action tab of the exception wizard to configure a severity level and an action plan for conditions that match the exception.

Select severity and action plans according to matches of incidents that match this exception. This overrides the rule's severity and action plan.

Severity:

Low - Incidents that match this exception are of low importance. The policy breach is minor.

Medium - Incidents that match this exception are of medium importance. The policy breach is moderate.

High - Incidents that match this exception are very important and warrant immediate attention. The policy breach is severe.

Action Plan:

Select Block all to use the strict actions defined under Main > Policy Management > Resources > Action Plans.

Select Audit & notify manager (the default) to use the moderate actions defined. These are a compromise between the blocking and auditing plans.

Select Audit only to use audit incidents and not block them.

New and edit icons are displayed to the right of the action plan drop-down list.

Click the edit icon to change the action for each channel if desired. Editing an action plan changes it for all the rules and exceptions that use it.

Click the new icon to create a new action plan. See Action Plans.

Select how matches should be calculated for this exception:

Greatest number of matched conditions. Select this option if you want the number of matches for each condition to be compared, and only the greatest number reported. For example, if there are 5 matches for the condition, ConfidentialPattern, 3 for SSN_Pattern, and 10 for MyKeyPhrases, the number of matches would be defined as 10.

Sum of all matched conditions. Select this option if you want the number of matches for each condition to be added together and the total to be reported. Given the same example as above, the number of matches would be defined as 18.

If you are using Risk-Adaptive Protection to determine actions according to the source's risk level, select an action plan for each one of the risk levels (1-5). When the rule is triggered, the action plan that will be executed will be the one that was defined for the risk level of the user as determined by Forcepoint FBA.

Click the Add button (

) to create a new action plan and add it to all risk-level action-plan lists. You can then select the new action plan for each risk level.


	Note The Risk-Adaptive Protection section only affects users that were defined as risk-adaptive users (see Custom user directory groups and Custom users pages on how to define such users.)

Click Next to continue to the Finish page of the exception wizard. See Exception Wizard - Finish.