Configure custom Tombstone messages with DLP Enforce server and CASB integration

book

Article ID: 170738

calendar_today

Updated On:

Products

Data Loss Prevention Enforce Data Loss Prevention Cloud Detection Service CASB Security Standard CASB Security Premium CASB Security Advanced CASB Audit CASB Gateway

Issue/Introduction

This article describes how to create a custom "Tombstone" message - aka a Marker File in an Enforce Response Rule being applied at the CloudSOC.

By default, the Symantec Data Loss Prevention (DLP) Enforce policy uses a standard Marker File message when a file is quarantined through the Response Rule action, "Custom Action on Data-at-Rest".

Note: This workaround only applies if you have CASB and your on-premises DLP Enforce Server integrated together with the DLP Cloud Detection Service.

Environment

  • As of version 15.5 and later, the ability to customize a Marker File message (aka "tombstone") is available in the  "Quarantine Data-at-Rest" Response Rule.
  • For version 15.1 and prior, you can customize the Tombstone message if you use a Custom Payload option with the JSON payload shown below.

    Note: Native CASB policy (i.e. Protect) relies on a Response Rule Template that is applied to the Protect policy directly.

Resolution

DLP 15.5 and later

The option to configure the text of the Marker File message will appear in the "Quarantine Data-at-Rest" Response Rule when clicking "Use marker file".

DLP 15.0 and 15.1

Follow these steps to apply the custom payload to a Response Rule action in DLP Enforce policy:

  1. Log on to the DLP Enforce Server console.
  2. Go to Manage > Policies > Response Rules.
  3. Click on Add Response Rule.
  4. Select Automated Response and then click Next.
  5. Name your Policy and provide a description (if desirable).
  6. Under “Conditions”, click on Add Condition (optional step).
  7. In your new Condition, select Incident Type > Is Any Of > Cloud Applications and API Appliance (optional step).
  8. Under “Actions”, click the drop-down arrow, scroll down to the Cloud Applications and API Appliance (Data-at-Rest) section and select Custom Action on Data-at-Rest.
  9. Click on the Add Action button.
  10. Paste in the JSON Code shown below, and then customize your message.
  11. Click on Save to complete the process of creating a new Response Rule.
  12. The final step is to apply the new Response Rule with your Custom Action on Data-at-Rest to your desired policies.

JSON Code:

{
    "action": "quarantine",
    "parameter": {
        "path": "/",
        "markerFile": "true",
        "markerFileText": "Insert your custom tombstone quarantine message here"
    }
}