After creating Cloud based policies, the initial response rules appear to fail testing. However, after some time the response rules begin working as expected. 

Release : ANY

Component : Cloud CDS

1. For Cloud Service for Email or the Cloud Detection Service for Web Security Services (WSS), please ensure that policies are in the policy group(s) associated with the Cloud Detector. You can confirm this by going to "System > Servers and Detectors > Policy Groups" on Enforce Server console and clicking on the policy group you assigned to that policy. Make sure the Cloud Detector has a check-mark in the box next to it. 

2. For CASB Cloud Detection Service, go to "Manage > Application Detection > Configuration" on the Enforce Server console and select the associated Application filter you are attempting to apply the policy to. Confirm the "Policy Group" that you assigned to your new policy has a check mark next to it. If not, check it and click "Save". 

3. Enforce syncing your filters to the cloud is not quite the same as updating policies for on premises detection servers. The sync process is often quick, but it can potentially take up to ~4 hours to complete a policy sync. Especially if EDMs/IDMs or AD based groups are associated as part of the rules/exception. This depends on communication bandwidth between the Enforce and the Cloud Detector and also size of policy components. This does not affect the speed at which the Cloud Detector processes traffic, only the sync between Enforce and the Cloud Detector. 

Please allow ~4 hours after a policy or response rule change before opening a support case.