Create a Data Loss Prevention Response Rule to perform various tasks

book

Article ID: 172010

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

  • Response rules can be added to a policy to take automated action on incidents. 
    • For example, if a policy is violated, a response rule can block the transmission of a file containing sensitive content.
  • Response rules are created, modified, and managed separately from the policies that use them.
    • This decoupling makes it possible to update and reuse response rules across policies.
  • Response rules can be run automatically or can be configured as a Smart Response rule that incident remediators can execute on demand.
    • Conditions can also be implemented to control how and when automated response rules execute.

Environment

DLP 15.0

Resolution

Implementing response rules

Response rules are defined independently from policies.

You must have response rule authoring privileges to create and manage response rules.

  1. Review the available response rules.
    1. The Manage > Policies > Response Rules screen displays all configured response rules, and the starting point for adding new ones
    2. Click Add Response Rule to define a new response rule
    3. At the New Response Rule screen, select one of the following options:
      • Automated Response - The system automatically executes the response action as the server
        evaluates incidents (default option)
      • Smart Response - An authorized user executes the response action from the Incident
        Snapshot screen in the Enforce Server administration console
    4. Click Next to configure the response rule.
    5. Enter a response Rule Name and Description
    6. Optionally, define one or more Conditions to dictate when the response rule
      executes. If no condition is declared, the response rule action always executes when there is a match (assuming that the detection rule is configured the same). Skip this step if you selected the Smart Response rule option
    7. Select and configure one or more Actions. You must define at least one action
    8. Click Save to save the response rule definition
  2. Decide the type of response rule to implement: Smart, Automated, both
  3. Determine the type of actions you want to implement and any triggering conditions
  4. Understand the order of precedence among the response rule actions of different and the same types
  5. Integrate the Enforce Server with an external system (if required for the response rule)
  6. Add a new response rule
  7. Configure response rules

To add an automated response rule to a policy

  1. Log on to the Enforce Server administration console with policy authoring privileges
  2. Navigate to the Manage > Policies > Policy List > Configure Policy screen for the policy you want to add a response rule to
  3. Select the response rule you want to add from those available in the drop-down menu
  4. 4 Click Add Response Rule to add the response rule to the policy