Enhance or mimic your DLP workflow using ICA's Data in Motion Remediation Actions
What is a Remediation Action?
Remediation Actions are buttons that are found on the Data In Motion (DIM) toolbar. ICA has three default Actions already defined (Escalate, Resolve, and Dismiss).
An Action can be created and configured to meet the need of the organization and to assist with the defined remediation workflow for DIM Incidents. An Action can be configured to set the Status, assign a selected Reason or Resolution, or assign an incident to a queue. An Action can also be configured to simply add a Comment to an incident. The Actions can be created and configured to work with existing DLP remediation workflow and processes.
How do you create a Remediation Action?
To create a Remediation Action:
1. Go to the Admin navigation menu item and select settings
2. Click on Data In Motion Settings tab at the top of the Settings page
3. Click on the Remediation Action Types tab
4. Click on the Remediation Action button. This will open a configuration window.
5. Begin configuring the Remediation Action button:
Example Remediation Action Prompt
Below is a list of the fields and definition for each that are available when configuring a Remediation Action button.
a. Main and Window Configuration sections: These sections determine how the Remediation Action prompt is displayed
1) Allow Multiple Selection: Allows users to select more than one item in the Remediation Action prompt
2) Title: Name displayed at the top of the Remediation Action Prompt.
3) Button Text: Name displayed on the button
4) Instructions: Text that is displayed at the top of the Remediation Action Prompt.
5) Glossary: A list of terms. For example, the glossary could list Reason/Resolution Codes and when each should be used.
To add an item to the Glossary:
A. Click on the Glossary button to open the glossary configuration window
B. Add a title for the glossary
C. Click Add Entry to add items to the Remediation Action's glossary table
b. Toolbar Configuration section
1) Button Text: Name displayed on the button
2) Button Width: Display width of the button
3) Icon: Allows customize icons show with the button
4) Is Button Enabled: Enables the button. If this option is not checked, the button will still be visible to users, but will not function. Disabling buttons allows the Administrator to create the buttons to see how they will be displayed on the toolbar without having to worry about users clicking on them when they are not fully configured. In the image below, the Dismiss button has been disabled.
5) Is Button Displayed: Either shows or hides the button from users. Setting the display value allows the Administrator to hide buttons that are configured, but not ready for use or to hide buttons that are not currently needed.
c. Actions Configuration section: This section allows the Administrator to configure what remediation actions fields are available to the user. These actions can range from setting the Status of an incident to simply adding a comment.
If updating of Symantec DLP is enabled (confirm with the ICA Administrator), this section also identifies what Source System Field ICA will be updating within Symantec DLP
Update Status
1) (optional) Update Status: If checked, this allows the button to set the Status of an incident. The Status value is not visible to the user.
2) (optional) Update Source System: If ICA is configured to update Symantec DLP (confirm with the ICA Administrator), specifies whether or not ICA will update the Status of the actioned incident(s) in Symantec DLP as well.
Update Assigned To
3) (optional) Update Assigned To: Allows the user to specify a Queue that is assigned to the incident
4) (optional) Source System Field: If ICA is configured to update Symantec DLP (confirm with the ICA Administrator), specifies the Custom Attribute of the actioned incident(s) within Symantec DLP that will be updated with the specified value
5) (optional) Required: Whether or not a value for Assigned To is required
Update Reason
6) (optional) Update Reason: Allows the user to specify and assign Reason codes to actioned incident(s)
7) (optional) Source System Field: If ICA is configured to update Symantec DLP (confirm with the ICA Administrator), specifies the Custom Attribute of the actioned incident(s) within Symantec DLP that will be updated with the specified value
8) (optional) Required: Whether or not a value for Reason Code is required
Update Resolution
9) (optional) Update Reason: Allows the user to specify and assign Resolution codes to actioned incident(s)
10) (optional) Source System Field: If ICA is configured to update Symantec DLP (confirm with the ICA Administrator), specifies the Custom Attribute of the actioned incident(s) within Symantec DLP that will be updated with the specified value
11) (optional) Required: Whether or not a value for Resolution Code is required
Update Comment
12) (optional) Update Comment: Allows the user to specify a comment
13) (optional) Source System Field: If ICA is configured to update Symantec DLP (confirm with the ICA Administrator), specifies the Custom Attribute of the actioned incident(s) within Symantec DLP that will be updated with the specified value
14) Add Note in Source System: If ICA is configured to update Symantec DLP (confirm with the ICA Administrator), the comment will be added to the Notes field of the incident(s) within Symantec DLP
15) (optional) Required: Whether or not a value for a Comment is required
Update Case Number
16) (optional) Update Case Number: Allows the user to specify a value (ticket number, case number, etc.) from an external system (i.e. an Event Management System, HR system, SOC ticket system, etc.).
17) (optional) Source System Field: If ICA is configured to update Symantec DLP (confirm with the ICA Administrator), specifies the Custom Attribute of the actioned incident(s) within Symantec DLP that will be updated with the specified value
18) (optional) Required: Whether or not a value for Case Number is required
Update Last Actioned By
19) (required) Update Case Number: Sets Last Actioned By field within ICA to the user account of the user actioning the incident(s)
20) (optional) Source System Field: If ICA is configured to update Symantec DLP (confirm with the ICA Administrator), specifies the Custom Attribute of the actioned incident(s) within Symantec DLP that will be updated with the specified value
d. Notifications Configuration section: This section allows the Administrator to assign a notification template that will be used when email messages are sent out. The email messages are used to notify users or a group of users when an item needs action (remediation, review, etc.) or an action has been taken.
1) (optional) Use Custom Notification Rules: Enables custom notification rules and (if enabled) overrides the Assigned To Queue notifications.
2) Template: Sets Notification the template to be used
3) Override Template Distribution List: overrides defaults defined with the selected Notification Template
4) From: Overrides the sender email specified on the Notification Template
5) To: Overrides the recipient email(s) specified on the Notification Template
6) CC: Overrides the CC recipient email(s) specified on the Notification Template
7) BCC Overrides the BCC recipient email(s) specified on the Notification Template
Putting context around Remediation Actions and how to implement them
Example DLP Incident Lifecycle and Workflow
Above is a swim lane diagram that shows an example workflow and lifecycle of an incident from when it was identified by Symantec DLP (New) and when no further action was needed for the incident and it was considered closed or resolved.
Each swim lane represents a different group that is or could be involved throughout the process. Each of these groups represent a different Queue (Assigned To selection from a Remediation Action). Each Queue has its own process to review and eventually close or resolve an incident. As part of this process, each Queue can have its own Remediation Actions that are customized and represent their internal processes.
Analysts Queue
This queue is the initial queue that is assigned to an incident once it comes into ICA. They will review the incident and decided whether or not the incident needs to be escalated to the Investigation queue or if the incident can be resolved. If the incident needs to be escalated, the user will use a remediation action to escalate the incident to the Investigation queue by using the Escalate to Review remediation action. If the incident can be resolved, then the user will use one of two remediation actions (Dismiss or Resolve) and the incident lifecycle will be complete.
Example Remediation Actions and configuration based on example workflow
Investigation Queue
This queue is the first level of escalation for an incident. Only the Analyst queue can assign incidents to this queue. The users assigned to this queue will review the incident and decided whether or not the incident needs to be escalated to the Escalation Queue (could be HR, SOC, Legal, etc.) or if some other action has been taken to resolve the incident. If the incident needs to be escalated, the user will use a remediation action to escalate the incident to the Escalation queue. If some other action has been taken to resolve the incident, then the user will only have the Resolve remediation action available in order to complete the incident lifecycle process.
Example Remediation Actions based on example workflow
Escalation Queue
This queue is the last level of escalation for an incident. Only the Investigation queue can assign incidents to this queue. The users assigned to this queue will review the incident and decides if further action is needed or if some other action has been taken and the incident can be resolved. Notice that this queue only has one remediation action. The Resolve remediation action allows the user to close the incident and specify an additional actions that that may need to be taken such as escalating to another area outside of the ICA/DIM workflow. This remediation action is used to complete the incident lifecycle process.
Example Remediation Actions based on example workflow
Example questions to ask when creating Remediation Actions: