Supporting New Response Rules on legacy Enforce using Custom Actions

Article Id: 170886
Status: Published
Updated On: 02-02-2018 17:36
Legacy Id: TECH248924
Products:
Data Loss Prevention Cloud Detection Service
Issue/Introduction:

In addition to the list of pre-configured Response Rules, it's possible to configure "custom actions" for the DLP Cloud Detection Service in v14.6.

N/A

Cause:

There are more response rules available in DLP v15, but those actions can also be leveraged by utilizing the "Custom Actions on Data-at-Rest" and "Custom Actions on Data-in-Motion" response rules.

Resolution:

Quarantine

Put the following into the "Custom payload" field of a "Custom Action on Data-at-Rest" action:

{

    "action": "quarantine",

    "parameter": {

        "path": "/path/to/the/quarantine/directory",

        "markerFile": "true",

        "markerFileText" : "This file has been quarantined due to your company policy"

    }

}

Notes:

  • There is no error handling - capitalization matters (on everything but the value of path).  Spacing does not matter, but is included here for readability.
  • This parser also doesn't accept extra commas after list items.
  • “markerFile” is a string, not a boolean. It should be either true or false.
  • Any extra information will be kept in the customResponsePayload parameter of the output, but any information transferred will be erased. The example above will have no customResponsePayload parameter, as everything gets transferred to other fields.

 

Cloud Service Connector Actions (Securlet-specific)

Put the following into the "Custom payload" field of a "Custom Action on Data-at-Rest" action:

{ "action": "file_access_all_read" }

Notes:

  • There is no error handling - capitalization matters.  Spacing does not matter, but is included here for readability.
  • Any extra information will be kept in the "customResponsePayload" parameter of the output, but any information transferred will be erased. The example above will have no "customResponsePayload" parameter, as everything gets transferred to other fields.
  • This follows the same rules that Securlets allow for actions as usual. If the Securlet doesn't allow the action, it will not take place.
  • The action strings are as follows:
    • file_access_all_read: Set File Access to 'All Read'
    • file_access_internal_read: Set File Access to 'Internal Read'
    • file_access_internal_edit: Set File Access to 'Internal Edit'
    • collab_access_preview: Set Collaborator Access to 'Preview'
    • collab_access_read: Set Collaborator Access to 'Read'
    • collab_access_edit: Set Collaborator Access to 'Edit'
    • collab_access_remove: Remove Collaborator Access
    • prevent_download: Prevent download, copy, print

 

 

Cloud Service Connector Actions (Gatelet-specific)

Put the following into the "Custom payload" field of a "Custom Action on Data-in-Motion" action:

{ "action": "add_2fa" }

Notes:

  • There is no error handling - capitalization matters.  Spacing does not matter, but is included here for readability.
  • Any extra information will be kept in the "customResponsePayload" parameter of the output, but any information transferred will be erased. The example above will have no "customResponsePayload" parameter, as everything gets transferred to other fields.
  • This follows the same rules that Gatelets allow for actions as usual. If the Gatelet doesn't allow the action, it will not take place.