Professional Documents
Culture Documents
Symantec Data Loss Preventation Administration Guide Responding To Policy Violations
Symantec Data Loss Preventation Administration Guide Responding To Policy Violations
Symantec Data Loss Preventation Administration Guide Responding To Policy Violations
Legal Notice
Copyright © 2019 Symantec Corporation. All rights reserved.
Symantec, CloudSOC, Blue Coat, the Symantec Logo, the Checkmark Logo, the Blue Coat logo, and the
Shield Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S.
and other countries. Other names may be trademarks of their respective owners.
This Symantec product may contain third party software for which Symantec is required to provide attribution
to the third party (“Third Party Programs”). Some of the Third Party Programs are available under open
source or free software licenses. The License Agreement accompanying the Software does not alter any
rights or obligations you may have under those open source or free software licenses. Please see the
Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec
product for more information on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use, copying, distribution,
and decompilation/reverse engineering. No part of this document may be reproduced in any form by any
means without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY
INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL
DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS
DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO
CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined
in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer
Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and
Commercial Computer Software Documentation," as applicable, and any successor regulations, whether
delivered by Symantec as on premises or hosted services. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government
shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
https://www.symantec.com
This chapter includes the following topics:
■ Response rule actions for Cloud Applications and API appliance detectors
Response rule actions are the components that take action when a policy violation occurs.
Response rule actions are mandatory components of response rules. If you create a response
rule, you must define at least one action for the response rule to be valid.
Symantec Data Loss Prevention provides several response rule actions. Many are available
for all types of detection servers. Others are available for specific detection servers.
See “Implementing response rules” on page 1758.
The detection server where a policy is deployed executes a response rule action any time a
policy violation occurs. Or, you can configure a response rule condition to dictate when the
response rule action executes.
See “About response rule conditions” on page 1752.
For example, any time a policy is violated, send an email to the user who violated the policy
and the manager. Or, if a policy violation severity level is medium, present the user with an
on-screen warning. Or, if the severity is high, block a file from being copied to an external
device.
All detection servers See “Response rule actions for all detection servers” on page 1739.
Endpoint detection servers See “Response rule actions for endpoint detection” on page 1740.
Network Prevent detection servers See “Response rule actions for Network Prevent detection” on page 1741.
Network Protect detection servers See “Response rule actions for Network Protect detection” on page 1742.
Cloud storage detections servers and See “Response rule actions for Cloud Storage detection” on page 1743.
detectors
Cloud Detection Service REST See “Response rule actions for Cloud Applications and API appliance
detectors and API Detection for detectors” on page 1744.
Developer Apps Appliances
Symantec Data Loss Prevention provides several response rule actions for Endpoint Prevent,
Endpoint Discover, Network Prevent for Web, Network Prevent for Email, and Network Protect.
Add Note Add a field to the incident record that the remediator can annotate at the
Incident Snapshot screen.
Limit Incident Data Retention Discard or retain matched data with the incident record.
See “Configuring the Limit Incident Data Retention action” on page 1783.
Send Email Notification Send an email you compose to recipients you specify.
Symantec Data Loss Prevention provides several response rule actions for Endpoint Prevent
and Endpoint Discover.
Endpoint: ICT Classification And Tagging Apply the appropriate ICT classification to content in policy violation or as
a baseline Classification Scan.
Endpoint Discover: Information Centric The Endpoint Discover: Information Centric Defense response rule action
Defense flags sensitive files for Symantec Endpoint Protection (SEP) monitoring.
See “Configuring the Endpoint Discover: Quarantine File action” on page 1815.
Endpoint Prevent: Block Block the transfer of data that violates the policy.
For example, block the copy of confidential data from an endpoint to a USB
flash drive.
Endpoint Prevent: Notify Display an on-screen notification to the endpoint user when confidential
data is transferred.
Endpoint Prevent: User Cancel Allow the user to cancel the transfer of a confidential file. The override is
time sensitive.
See “Configuring the Endpoint Prevent: User Cancel action” on page 1828.
Symantec Data Loss Prevention provides several response rule actions for Network Prevent
for Web and Network Prevent for Email.
See “Configuring the Network Prevent for Web: Block FTP Request action”
on page 1831.
Only available with Network Prevent for Web.
See “Configuring the Network Prevent for Web: Block HTTP/S action”
on page 1831.
Only available with Network Prevent for Web.
Network Prevent: Block SMTP Message Block email that causes an incident.
For example, change the email subject to include information about the
violation.
Network Prevent: Remove HTTP/S Remove confidential content from Web posts.
Content
See “Configuring the Network Prevent for Web: Remove HTTP/S Content
action” on page 1835.
Only available with Network Prevent for Web.
Symantec Data Loss Prevention provides several response rule actions for Network Protect
(Discover).
Network Protect: Copy File Copy sensitive files to a location you specify.
See “Configuring the Network Protect: Copy File action” on page 1836.
Only available with Network Protect.
Network Protect: Quarantine File Quarantine sensitive files.
See “Configuring the Network Protect: Quarantine File action” on page 1837.
Only available with Network Protect.
Network Protect: Encrypt File Encrypt sensitive files using Symantec ICE.
See “Configuring the Network Protect: Encrypt File action” on page 1838.
This action is available only if you have installed the Network Protect
ICE license and configured the Enforce Server to connect to the Symantec
ICE Cloud. For information about how Symantec Data Loss Prevention
interacts with Symantec ICE, refer to the Symantec Information Centric
Encryption Deployment Guide at http://www.symantec.com/docs/DOC9707.
Symantec Data Loss Prevention provides two response rule actions for Cloud Storage detection,
from either on-premises detection servers or on cloud detectors.
Cloud Storage: Add Visual Tag Add a text tag to Box cloud storage content that
violates a policy.
Cloud Storage: Quarantine Quarantine sensitive files from a cloud storage user
account to a quarantine user account. For
on-premises Box scanning, you can also use an
on-premises quarantine location.
Remove Shared Links The Remove Shared Links Smart Response action
removes shared links from files in cloud applications
through the Cloud Detection Service.
■ Dropbox
■ Gmail
■ Office 365 Email
■ Box
■ Office 365 OneDrive
■ Office 365 SharePoint
■ Salesforce
■ Slack
Remove Shared Links in Data-at-Rest The Remove Shared Links in Data-at-Rest action
removes shared links to sensitive data in the
following cloud applications through the Cloud
Detection Service:
■ Box
■ Dropbox
■ Google Drive
■ Office 365 OneDrive
■ Salesforce
Prevent download, copy, print The Prevent download, copy, print action
prevents download, copy, and print options for the
sensitive data.
■ Box
■ Dropbox
■ Google Drive
■ Office 365 SharePoint
■ Salesforce
Set Collaborator Access to 'Edit' The Set Collaborator Access to 'Edit' action
grants collaborators edit access to sensitive data
files in the following cloud applications through the
Cloud Detection Service:
■ Box
■ Dropbox
■ Google Drive
■ Office 365 SharePoint
■ Salesforce
Set Collaborator Access to 'Preview' The Set Collaborator Access to 'Preview' action
grants collaborators preview access to sensitive
data files in the Box cloud application through the
Cloud Detection Service.
■ Box
■ Dropbox
■ Google Drive
■ Office 365 SharePoint
■ Salesforce
Set File Access to 'All Read' The Set File Access to 'All Read' action grants
public read access to sensitive data files in the
following cloud applications through the Cloud
Detection Service.
■ Google Drive
■ Office 365 OneDrive
■ Office 365 SharePoint
Set File Access to 'Internal Edit' The Set File Access to 'Internal Edit' action grants
edit access to all members of your organization to
sensitive files in the following cloud applications
through the Cloud Detection Service:
■ Box
■ Google Drive
■ Office 365 OneDrive
■ Office 365 SharePoint
■ Salesforce
■ Box
■ Google Drive
■ Office 365 SharePoint
■ Salesforce
Symantec Data Loss Prevention provides two types of policy response rules: Automated and
Smart.
The detection server that reports a policy violation executes Automated Response rules. Users
such as incident remediators execute Smart Response rules on demand from the Enforce
Server administration console.
See “About recommended roles for your organization” on page 111.
Automated Response rules When a policy violation occurs, the detection server automatically executes
response rule actions.
Smart Response rules When a policy violation occurs, an authorized user manually triggers the
response rule.
The system executes Automated Response rules when the detection engine reports a policy
violation. However, if you implement a response rule condition, the condition must be met for
the system to execute the response rule. Conditions let you control the automated execution
of response rule actions.
See “About response rule conditions” on page 1752.
For example, the system can automatically block certain policy violating actions, such as the
attempted transfer of high value customer data or sensitive design documents. Or, the system
can escalate an incident to a workflow management system for immediate attention. Or, you
can set a different severity level for an incident involving 1000 customer records than for one
involving only 10 records.
See “Implementing response rules” on page 1758.
Users execute Smart Response rules on demand in response to policy violations from the
Enforce Server administration console Incident Snapshot screen.
See “About response rule actions” on page 1738.
You create Smart Response rules for the situations that require human remediation. For
example, you might create a Smart response rule to dismiss false positive incidents. An incident
remediator can review the incident, identify the match as a false positive, and dismiss it.
See “About configuring Smart Response rules” on page 1764.
Only some response rules are available for manual execution.
Add Note Add a field to the incident record that the remediator can annotate at the
Incident Snapshot screen.
Log to a Syslog Server Log the incident to a syslog server for workflow remediation.
Send Email Notification Send an email you compose to recipients you specify.
Network Protect SharePoint Quarantine Quarantine sensitive data stored on a Microsoft SharePoint server.
Network Protect SharePoint Release Release sensitive files that were quarantined from a Microsoft SharePoint
from Quarantine server.
Response rule conditions are optional response rule components. Conditions define how and
when the system triggers response rule actions. Conditions give you multiple ways to prioritize
incoming incidents to focus remediation efforts and take appropriate response.
See “Implementing response rules” on page 1758.
Response rule conditions trigger action based on detection match criteria. For example, you
can configure a condition to trigger action for high severity incidents, certain types of incidents,
or after a specified number of incidents.
See “Configuring response rule conditions” on page 1764.
Conditions are not required. If a response rule does not declare a condition, the response rule
action always executes each time an incident occurs. If a condition is declared, it must be met
for the action to trigger. If more than one condition is declared, all must be met for the system
to take action.
See “Configuring response rules” on page 1763.
Endpoint Location Triggers a response action when the endpoint is on or off the corporate network.
Endpoint Device Triggers a response action when an event occurs on a configured endpoint
device.
Incident Type Triggers a response action when the specified type of detection server reports
a match.
See “Configuring the Incident Type response condition” on page 1773.
Incident Match Count Triggers a response action when the volume of policy violations exceeds a
threshold or range.
See “Configuring the Incident Match Count response condition” on page 1774.
Protocol or Endpoint Monitoring Triggers a response action when an incident is detected on a specified network
communications protocol (such as HTTP) or endpoint destination (such as
CD/DVD).
Severity Triggers a response action when the policy violation is a certain severity level.
A Symantec Data Loss Prevention server executes response rule actions according to a
system-defined prioritized order. You cannot modify the order of execution among response
rules of different types.
In all cases, when a server executes two or more different response rules for the same policy,
the higher priority response action takes precedence.
Consider the following example(s):
■ One endpoint response rule lets a user cancel an attempted file copy and another rule
blocks the attempt.
The detection server blocks the file copy.
■ One network response rule action copies a file and another action quarantines it.
The detection server quarantines the file.
■ One network response rule action modifies the content of an email message and another
action blocks the transmission.
The detection server blocks the email transmission.
You cannot change the priority execution order for different response rule action types. But,
you can modify the order of execution for the same type of response rule action with conflicting
instructions.
See “Modifying response rule ordering” on page 1769.
Endpoint Prevent: Block See “Configuring the Endpoint Prevent: Block action”
on page 1817.
Endpoint Prevent: Encrypt See “Configuring the Endpoint Prevent: Encrypt action”
on page 1821.
Endpoint Prevent: User Cancel See “Configuring the Endpoint Prevent: User Cancel action”
on page 1828.
Endpoint Prevent: Notify See “Configuring the Endpoint Prevent: Notify action”
on page 1825.
Endpoint Discover: Quarantine File See “Configuring the Endpoint Discover: Quarantine File action”
on page 1815.
All: Limit Incident Data Retention See “Configuring the Limit Incident Data Retention action”
on page 1783.
Network Prevent: Block SMTP Message See “Configuring the Network Prevent: Block SMTP Message
action” on page 1832.
Network Prevent: Modify SMTP See “Configuring the Network Prevent: Modify SMTP Message
Message action” on page 1833.
Network Prevent for Web: Remove See “Configuring the Network Prevent for Web: Remove
HTTP/HTTPS Content HTTP/S Content action” on page 1835.
Network Prevent for Web: Block See “Configuring the Network Prevent for Web: Block HTTP/S
HTTP/HTTPS action” on page 1831.
Network Prevent for Web: Block FTP See “Configuring the Network Prevent for Web: Block FTP
Request Request action” on page 1831.
Network Protect: Quarantine File See “Configuring the Network Protect: Quarantine File action”
on page 1837.
Network Protect: Encrypt File See “Configuring the Network Protect: Encrypt File action”
on page 1838.
Network Protect: Copy File See “Configuring the Network Protect: Copy File action”
on page 1836.
All: Set Status See “Configuring the Set Status action” on page 1790.
All: Set Attribute See “Configuring the Set Attribute action” on page 1789.
All: Add Note See “Configuring the Add Note action” on page 1782.
All: Log to a Syslog Server See “Configuring the Log to a Syslog Server action” on page 1785.
All: Send Email Notification See “Configuring the Send Email Notification action”
on page 1786.
Cloud Storage: Add Visual Tag See “Configuring the Cloud Storage: Add Visual Tag action”
on page 1791.
Cloud Storage: Quarantine See “Configuring the Cloud Storage: Quarantine action”
on page 1791.
Server FlexResponse See “Configuring the Server FlexResponse action” on page 1788.
Server FlexResponse actions that are part of Automated
Response rules execute on the Enforce Server, rather than the
detection server.
Cloud Applications and API appliance See “Configuring the Block Data-in-Motion action” on page 1808.
(Data-in-Motion): Block Data-in-Motion
Cloud Applications and API appliance See “Configuring the Redact Data-in-Motion action” on page 1812.
(Data-in-Motion): Redact Data-in-Motion
Cloud Applications and API appliance See “Configuring the Encrypt Data-in-Motion action”
(Data-in-Motion): Encrypt Data-in-Motion on page 1810.
Cloud Applications and API appliance See “Configuring the Quarantine Data-in-Motion action”
(Data-in-Motion): Quarantine on page 1811.
Data-in-Motion
Cloud Applications and API appliance See “Configuring the Perform DRM on Data-in-Motion action”
(Data-in-Motion): Perform DRM on on page 1810.
Data-in-Motion
Cloud Applications and API appliance See “Configuring the Custom Action on Data-in-Motion action”
(Data-in-Motion): Custom Action on on page 1809.
Data-in-Motion
Cloud Applications and API appliance See “Configuring the Encrypt Data-at-Rest action” on page 1799.
(Data-at-Rest): Encrypt Data-at-Rest
Cloud Applications and API appliance See “Configuring the Delete Data-at-Rest action” on page 1799.
(Data-at-Rest): Delete Data-at-Rest
Cloud Applications and API appliance See “Configuring the Quarantine Data-at-Rest action”
(Data-at-Rest): Quarantine Data-at-Rest on page 1801.
Cloud Applications and API appliance See “Configuring the Tag Data-at-Rest action” on page 1802.
(Data-at-Rest): Tag Data-at-Rest
Cloud Applications and API appliance See “Configuring the Perform DRM on Data-at-Rest action”
(Data-at-Rest): Perform DRM on on page 1800.
Data-at-Rest
Cloud Applications and API appliance See “Configuring the Remove Shared Links in Data-at-Rest
(Data-at-Rest): Break Links in action” on page 1802.
Data-at-Rest
Cloud Applications and API appliance See “Configuring the Custom Action on Data-at-Rest action”
(Data-at-Rest): Custom Action on on page 1798.
Data-at-Rest
Cloud Applications and API appliance See “Configuring the Set File Access to 'All Read' action”
(Additional Data-at-Rest Actions): Set on page 1806.
File Access to 'All Read'
Cloud Applications and API appliance See “Configuring the Prevent download, copy, print action”
(Additional Data-at-Rest Actions): on page 1803.
Prevent download, copy, print
Cloud Applications and API appliance See “Configuring the Set File Access to 'Internal Read' action”
(Additional Data-at-Rest Actions): Set on page 1807.
File Access to 'Internal Read'
Cloud Applications and API appliance See “Configuring the Set File Access to 'Internal Edit'”
(Additional Data-at-Rest Actions): Set on page 1806.
File Access to 'Internal Edit'
Cloud Applications and API appliance See “Configuring the Set Collaborator Access to 'Read' action”
(Additional Data-at-Rest Actions): Set on page 1805.
Collaborator Access to 'Read'
Cloud Applications and API appliance See “Configuring the Set Collaborator Access to 'Edit' action”
(Additional Data-at-Rest Actions): Set on page 1804.
Collaborator Access to 'Edit'
Cloud Applications and API appliance See “Configuring the Remove Collaborator Access action”
(Additional Data-at-Rest Actions): on page 1804.
Remove Collaborator Access
Cloud Applications and API appliance See “Configuring the Set Collaborator Access to 'Preview'
(Additional Data-at-Rest Actions): Set action” on page 1805.
Collaborator Access to 'Preview'
Cloud Applications and API appliance See “Configuring the Add two-factor authentication action”
(Data-in-Motion): Add two-factor on page 1808.
authentication
To manage and create response rules, you must be assigned to a role with response rule
authoring privileges. To add a response rule to a policy, you must have policy authoring
privileges.
See “Policy authoring privileges” on page 375.
For business reasons, you may want to grant response rule authoring and policy authoring
privileges to the same role. Or, you may want to keep these roles separate.
See “About recommended roles for your organization” on page 111.
If you log on to the system as a user without response rule authoring privileges, the Manage
> Policies > Response Rules screen is not available.
See “About role-based access control” on page 109.
1 Review the available response rules. The Manage > Policies > Response Rules screen displays
all configured response rules.
2 Decide the type of response rule to Decide the type of response rules based on your business
implement: Smart, Automated, both. requirements.
3 Determine the type of actions you want to See “About response rule conditions” on page 1752.
implement and any triggering conditions.
See “About response rule actions” on page 1738.
4 Understand the order of precedence among See “About response rule action execution priority”
response rule actions of different and the on page 1753.
same types.
See “Modifying response rule ordering” on page 1769.
5 Integrate the Enforce Server with an external Some response rules may require integration with external
system (if required for the response rule). systems.
These may include:
6 Add a new response rule. See “Adding a new response rule” on page 1762.
8 Configure one or more response rule See “Configuring response rule conditions” on page 1764.
conditions (optional).
9 Configure one or more response rule actions You must define at least one action for a valid response rule.
(required).
See “Configuring response rule actions” on page 1765.
10 Add response rules to policies. You must have policy authoring privileges to add response
rules to policies.