Supporting New Response Rules on legacy Enforce using Custom Actions

book

Article ID: 170886

calendar_today

Updated On:

Products

Data Loss Prevention Cloud Detection Service

Issue/Introduction

In addition to the list of pre-configured Response Rules, it's possible to configure "custom actions" for the DLP Cloud Detection Service in v14.6.

N/A

Cause

There are more response rules available in DLP v15, but those actions can also be leveraged by utilizing the "Custom Actions on Data-at-Rest" and "Custom Actions on Data-in-Motion" response rules.

Environment

DLP 14.6, with DLP Cloud Detection Service registered, for integration with Elastica CloudSOC, or WSS.

Resolution

Quarantine

Put the following into the "Custom payload" field of a "Custom Action on Data-at-Rest" action:

{

    "action": "quarantine",

    "parameter": {

        "path": "/path/to/the/quarantine/directory",

        "markerFile": "true",

        "markerFileText" : "This file has been quarantined due to your company policy"

    }

}

Notes:

  • There is no error handling - capitalization matters (on everything but the value of path).  Spacing does not matter, but is included here for readability.
  • This parser also doesn't accept extra commas after list items.
  • “markerFile” is a string, not a boolean. It should be either true or false.
  • Any extra information will be kept in the customResponsePayload parameter of the output, but any information transferred will be erased. The example above will have no customResponsePayload parameter, as everything gets transferred to other fields.

 

Cloud Service Connector Actions (Securlet-specific)

Put the following into the "Custom payload" field of a "Custom Action on Data-at-Rest" action:

{ "action": "file_access_all_read" }

Notes:

  • There is no error handling - capitalization matters.  Spacing does not matter, but is included here for readability.
  • Any extra information will be kept in the "customResponsePayload" parameter of the output, but any information transferred will be erased. The example above will have no "customResponsePayload" parameter, as everything gets transferred to other fields.
  • This follows the same rules that Securlets allow for actions as usual. If the Securlet doesn't allow the action, it will not take place.
  • The action strings are as follows:
    • file_access_all_read: Set File Access to 'All Read'
    • file_access_internal_read: Set File Access to 'Internal Read'
    • file_access_internal_edit: Set File Access to 'Internal Edit'
    • collab_access_preview: Set Collaborator Access to 'Preview'
    • collab_access_read: Set Collaborator Access to 'Read'
    • collab_access_edit: Set Collaborator Access to 'Edit'
    • collab_access_remove: Remove Collaborator Access
    • prevent_download: Prevent download, copy, print

 

 

Cloud Service Connector Actions (Gatelet-specific)

Put the following into the "Custom payload" field of a "Custom Action on Data-in-Motion" action:

{ "action": "add_2fa" }

Notes:

  • There is no error handling - capitalization matters.  Spacing does not matter, but is included here for readability.
  • Any extra information will be kept in the "customResponsePayload" parameter of the output, but any information transferred will be erased. The example above will have no "customResponsePayload" parameter, as everything gets transferred to other fields.
  • This follows the same rules that Gatelets allow for actions as usual. If the Gatelet doesn't allow the action, it will not take place.