Symantec Data Loss Prevention Administration Guide

Documentation version: 15.5d

Legal Notice
Copyright © 2019 Symantec Corporation. All rights reserved.

Symantec, CloudSOC, Blue Coat, the Symantec Logo, the Checkmark Logo, the Blue Coat logo, and the
Shield Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S.
and other countries. Other names may be trademarks of their respective owners.

This Symantec product may contain third party software for which Symantec is required to provide attribution
to the third party (“Third Party Programs”). Some of the Third Party Programs are available under open
source or free software licenses. The License Agreement accompanying the Software does not alter any
rights or obligations you may have under those open source or free software licenses. Please see the
Third Party Legal Notice Appendix to this Documentation or TPIP ReadMe File accompanying this Symantec
product for more information on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use, copying, distribution,
and decompilation/reverse engineering. No part of this document may be reproduced in any form by any
means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY
INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL
DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS
DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO
CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined
in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer
Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and
Commercial Computer Software Documentation," as applicable, and any successor regulations, whether
delivered by Symantec as on premises or hosted services. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government
shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043

https://www.symantec.com
This chapter includes the following topics:

■ About response rules

■ About response rule actions

■ Response rule actions for all detection servers

■ Response rule actions for endpoint detection

■ Response rule actions for Network Prevent detection

■ Response rule actions for Network Protect detection

■ Response rule actions for Cloud Storage detection

■ Response rule actions for Cloud Applications and API appliance detectors

■ About response rule execution types

■ About Automated Response rules

■ About Smart Response rules

■ About response rule conditions

■ About response rule action execution priority

■ About response rule authoring privileges

■ Implementing response rules

■ Response rule best practices

You can implement one or more response rules in a policy to remedy, escalate, resolve, and
dismiss incidents when a violation occurs. For example, if a policy is violated, a response rule
blocks the transmission of a file containing sensitive content.
See “About response rule actions” on page 1738.
You create, modify, and manage response rules separate from the policies that declare them.
This decoupling allows response rules to be updated and reused across policies.
See “Implementing response rules” on page 1758.
The detection server automatically executes response rules. Or, you can configure Smart
Response rules for manual execution by an incident remediator.
See “About response rule execution types” on page 1750.
You can implement conditions to control how and when response rules execute.
See “About response rule conditions” on page 1752.
You can sequence the order of execution for response rules of the same type.
See “About response rule action execution priority” on page 1753.
You must have response rule authoring privileges to create and manage response rules.
See “About response rule authoring privileges” on page 1757.

Response rule actions are the components that take action when a policy violation occurs.
Response rule actions are mandatory components of response rules. If you create a response
rule, you must define at least one action for the response rule to be valid.
Symantec Data Loss Prevention provides several response rule actions. Many are available
for all types of detection servers. Others are available for specific detection servers.
See “Implementing response rules” on page 1758.
The detection server where a policy is deployed executes a response rule action any time a
policy violation occurs. Or, you can configure a response rule condition to dictate when the
response rule action executes.
See “About response rule conditions” on page 1752.
For example, any time a policy is violated, send an email to the user who violated the policy
and the manager. Or, if a policy violation severity level is medium, present the user with an
on-screen warning. Or, if the severity is high, block a file from being copied to an external
device.
All detection servers See “Response rule actions for all detection servers” on page 1739.

Endpoint detection servers See “Response rule actions for endpoint detection” on page 1740.

Network Prevent detection servers See “Response rule actions for Network Prevent detection” on page 1741.

Network Protect detection servers See “Response rule actions for Network Protect detection” on page 1742.

Cloud storage detections servers and See “Response rule actions for Cloud Storage detection” on page 1743.
detectors

Cloud Detection Service REST See “Response rule actions for Cloud Applications and API appliance
detectors and API Detection for detectors” on page 1744.
Developer Apps Appliances

Symantec Data Loss Prevention provides several response rule actions for Endpoint Prevent,
Endpoint Discover, Network Prevent for Web, Network Prevent for Email, and Network Protect.

Add Note Add a field to the incident record that the remediator can annotate at the
Incident Snapshot screen.

See “Configuring the Add Note action” on page 1782.

Limit Incident Data Retention Discard or retain matched data with the incident record.

See “Configuring the Limit Incident Data Retention action” on page 1783.

Log to a Syslog Server Log the incident to a syslog server.

See “Configuring the Log to a Syslog Server action” on page 1785.

Send Email Notification Send an email you compose to recipients you specify.

See “Configuring the Send Email Notification action” on page 1786.

Server FlexResponse Execute a custom Server FlexResponse action.

See “Configuring the Server FlexResponse action” on page 1788.

This response rule action is available only if you deploy one or more
custom Server FlexResponse plug-ins to Symantec Data Loss Prevention.

See “Deploying a Server FlexResponse plug-in” on page 2143.

Set Attribute Add a custom value to the incident record.

See “Configuring the Set Attribute action” on page 1789.

Set Status Change the incident status to the specified value.

See “Configuring the Set Status action” on page 1790.

See “About response rules” on page 1738.

See “Implementing response rules” on page 1758.

Symantec Data Loss Prevention provides several response rule actions for Endpoint Prevent
and Endpoint Discover.

Endpoint: FlexResponse Take custom action using the FlexResponse API.

See “Configuring the Endpoint: FlexResponse action” on page 1813.

Endpoint: ICT Classification And Tagging Apply the appropriate ICT classification to content in policy violation or as
a baseline Classification Scan.

See “Configuring the Endpoint: ICT Classification And Tagging action”

on page 1814.

Endpoint Discover: Information Centric The Endpoint Discover: Information Centric Defense response rule action
Defense flags sensitive files for Symantec Endpoint Protection (SEP) monitoring.

Endpoint Discover: Quarantine File Quarantine a discovered sensitive file.

See “Configuring the Endpoint Discover: Quarantine File action” on page 1815.
Endpoint Prevent: Block Block the transfer of data that violates the policy.

For example, block the copy of confidential data from an endpoint to a USB
flash drive.

See “Configuring the Endpoint Prevent: Block action” on page 1817.

Endpoint Prevent: Notify Display an on-screen notification to the endpoint user when confidential
data is transferred.

See “Configuring the Endpoint Prevent: Notify action” on page 1825.

Endpoint Prevent: User Cancel Allow the user to cancel the transfer of a confidential file. The override is
time sensitive.

See “Configuring the Endpoint Prevent: User Cancel action” on page 1828.

See “About response rules” on page 1738.

See “Implementing response rules” on page 1758.
See “Endpoint Prevent on Mac response rule features” on page 2285.

Symantec Data Loss Prevention provides several response rule actions for Network Prevent
for Web and Network Prevent for Email.

Network Prevent: Block FTP Request Block FTP transmissions.

See “Configuring the Network Prevent for Web: Block FTP Request action”
on page 1831.
Only available with Network Prevent for Web.

Network Prevent: Block HTTP/S Block Web postings.

See “Configuring the Network Prevent for Web: Block HTTP/S action”
on page 1831.
Only available with Network Prevent for Web.
Network Prevent: Block SMTP Message Block email that causes an incident.

See “Configuring the Network Prevent: Block SMTP Message action”

on page 1832.

Network Prevent: ICE Encryption Encrypt emails and attachments, or attachments.

See “Encrypting cloud email with Symantec Information Centric Encryption”

on page 2518.

Network Prevent: Modify SMTP Message Modify sensitive email messages.

For example, change the email subject to include information about the
violation.

See “Configuring the Network Prevent: Modify SMTP Message action”

on page 1833.

Network Prevent: Remove HTTP/S Remove confidential content from Web posts.
Content
See “Configuring the Network Prevent for Web: Remove HTTP/S Content
action” on page 1835.
Only available with Network Prevent for Web.

See “About response rules” on page 1738.

See “Implementing response rules” on page 1758.

Symantec Data Loss Prevention provides several response rule actions for Network Protect
(Discover).

Network Protect: Copy File Copy sensitive files to a location you specify.

See “Configuring the Network Protect: Copy File action” on page 1836.
Only available with Network Protect.
Network Protect: Quarantine File Quarantine sensitive files.

See “Configuring the Network Protect: Quarantine File action” on page 1837.
Only available with Network Protect.

Network Protect: Encrypt File Encrypt sensitive files using Symantec ICE.

See “Configuring the Network Protect: Encrypt File action” on page 1838.
This action is available only if you have installed the Network Protect
ICE license and configured the Enforce Server to connect to the Symantec
ICE Cloud. For information about how Symantec Data Loss Prevention
interacts with Symantec ICE, refer to the Symantec Information Centric
Encryption Deployment Guide at http://www.symantec.com/docs/DOC9707.

See “About response rules” on page 1738.

See “Implementing response rules” on page 1758.

Symantec Data Loss Prevention provides two response rule actions for Cloud Storage detection,
from either on-premises detection servers or on cloud detectors.

Cloud Storage: Add Visual Tag Add a text tag to Box cloud storage content that
violates a policy.

See “Configuring the Cloud Storage: Add Visual

Tag action” on page 1791.

Cloud Storage: Quarantine Quarantine sensitive files from a cloud storage user
account to a quarantine user account. For
on-premises Box scanning, you can also use an
on-premises quarantine location.

See “Configuring the Cloud Storage: Quarantine

action” on page 1791.

See “About response rules” on page 1738.

See “Implementing response rules” on page 1758.
The Symantec Data Loss Prevention Cloud Detection Service enables you to connect Symantec
Data Loss Prevention to your cloud access security broker (CASB) solution. You can use the
public REST API to send sensitive data from your CASB solution to Symantec Data Loss
Prevention for inspection. Symantec Data Loss Prevention responds with policy violation
information and recommendations for remediation action where appropriate.
The API Detection for Developer Apps Appliance enables you to connect with on-premises
applications. You can use the REST API to submit data from your applications to Symantec
Data Loss Prevention for inspection. Symantec Data Loss Prevention responds with policy
violation information and recommendations for remediation action where appropriate.
These Cloud Applications and API appliance response rules let you configure the remediation
recommendation messages that Symantec Data Loss Prevention includes in the detection
responses it sends back to the REST client in the customResponsePayload or message
parameters.

Encrypt The Encrypt Smart Response action lets you

encrypt sensitive files in cloud applications through
the Symantec Data Loss Prevention Cloud
Detection Service.

See “Configuring the Encrypt Smart Response

action” on page 1783.

Remove Collaborator Access The Remove Collaborator Access Smart

Response action removes collaborator access from
shared files in cloud applications through the Cloud
Detection Service.

See “Configuring the Remove Collaborator Access

Smart Response action” on page 1797.

Remove Shared Links The Remove Shared Links Smart Response action
removes shared links from files in cloud applications
through the Cloud Detection Service.

See “Configuring the Remove Shared Links Smart

Response action” on page 1797.
Custom Action on Data-at-Rest The Custom Action on Data-at-Rest action returns
a recommendation to perform some custom action
on the sensitive data with the detection result.

See “Configuring the Custom Action on Data-at-Rest

action” on page 1798.

Delete Data-at-Rest The Delete Data-at-Rest action deletes sensitive

data in the following cloud applications through the
Cloud Detection Service:

■ Dropbox
■ Gmail
■ Office 365 Email

See “Configuring the Delete Data-at-Rest action”

on page 1799.

Encrypt Data-at-Rest The Encrypt Data-at-Rest action encrypts sensitive

data in the following applications through the Cloud
Detection Service:

■ Office 365 OneDrive

■ Office 365 SharePoint

See “Configuring the Encrypt Data-at-Rest action”

on page 1799.

Perform DRM on Data-at-Rest The Perform DRM on Data-at-Rest action applies

Digital Rights Management (DRM) to the sensitive
data.

See “Configuring the Perform DRM on Data-at-Rest

action” on page 1800.
Quarantine Data-at-Rest The Quarantine Data-at-Rest action quarantines
sensitive data in the following cloud applications
through the Cloud Detection Service:

■ Box
■ Office 365 OneDrive
■ Office 365 SharePoint
■ Salesforce
■ Slack

See “Configuring the Quarantine Data-at-Rest

action” on page 1801.

Remove Shared Links in Data-at-Rest The Remove Shared Links in Data-at-Rest action
removes shared links to sensitive data in the
following cloud applications through the Cloud
Detection Service:

■ Box
■ Dropbox
■ Google Drive
■ Office 365 OneDrive
■ Salesforce

See “Configuring the Remove Shared Links in

Data-at-Rest action” on page 1802.

Tag Data-at-Rest The Tag Data-at-Rest action tags the sensitive

data.

See “Configuring the Tag Data-at-Rest action”

on page 1802.

Prevent download, copy, print The Prevent download, copy, print action
prevents download, copy, and print options for the
sensitive data.

See “Configuring the Prevent download, copy, print

action” on page 1803.
Remove Collaborator Access The Remove Collaborator Access action removes
access from collaborators to sensitive data files in
the following cloud applications through the Cloud
Detection Service:

■ Box
■ Dropbox
■ Google Drive
■ Office 365 SharePoint
■ Salesforce

See “Configuring the Remove Collaborator Access

action” on page 1804.

Set Collaborator Access to 'Edit' The Set Collaborator Access to 'Edit' action
grants collaborators edit access to sensitive data
files in the following cloud applications through the
Cloud Detection Service:

■ Box
■ Dropbox
■ Google Drive
■ Office 365 SharePoint
■ Salesforce

See “Configuring the Set Collaborator Access to

'Edit' action” on page 1804.

Set Collaborator Access to 'Preview' The Set Collaborator Access to 'Preview' action
grants collaborators preview access to sensitive
data files in the Box cloud application through the
Cloud Detection Service.

See “Configuring the Set Collaborator Access to

'Preview' action” on page 1805.
Set Collaborator Access to 'Read' The Set File Access to 'Internal Edit' action grants
edit access to all members of your organization to
sensitive files in the following cloud applications
through the Cloud Detection Service:

■ Box
■ Dropbox
■ Google Drive
■ Office 365 SharePoint
■ Salesforce

See “Configuring the Set Collaborator Access to

'Read' action” on page 1805.

Set File Access to 'All Read' The Set File Access to 'All Read' action grants
public read access to sensitive data files in the
following cloud applications through the Cloud
Detection Service.

■ Google Drive
■ Office 365 OneDrive
■ Office 365 SharePoint

See “Configuring the Set File Access to 'All Read'

action” on page 1806.

Set File Access to 'Internal Edit' The Set File Access to 'Internal Edit' action grants
edit access to all members of your organization to
sensitive files in the following cloud applications
through the Cloud Detection Service:

■ Box
■ Google Drive
■ Office 365 OneDrive
■ Office 365 SharePoint
■ Salesforce

See “Configuring the Set File Access to 'Internal

Edit'” on page 1806.
Set File Access to 'Internal Read' The Set File Access to 'Internal Read' action
grants read access to all members of your
organization to sensitive data files in the following
cloud applications through the Cloud Detection
Service:

■ Box
■ Google Drive
■ Office 365 SharePoint
■ Salesforce

See “Configuring the Set File Access to 'Internal

Read' action” on page 1807.

Add two-factor authentication The Add two-factor authentication action adds

two-factor authentication to the sensitive data.

See “Configuring the Add two-factor authentication

action” on page 1808.

Block Data-in-Motion The Block Data-in-Motion action blocks the

sensitive data.

See “Configuring the Block Data-in-Motion action”

on page 1808.

Custom Action on Data-in-Motion The Custom Action on Data-in-Motion action

returns a recommendation to take some custom
action on the sensitive data with the detection result.

See “Configuring the Custom Action on

Data-in-Motion action” on page 1809.

Encrypt Data-in-Motion The Encrypt Data-in-Motion action encrypts the

sensitive data.

See “Configuring the Encrypt Data-in-Motion action”

on page 1810.
 Perform DRM on Data-in-Motion The Perform DRM on Data-in-Motion action
applies Digital Rights Management (DRM) to the
sensitive data.

See “Configuring the Perform DRM on

Data-in-Motion action” on page 1810.

Quarantine Data-in-Motion The Quarantine Data-in-Motion action quarantines

the sensitive data.

See “Configuring the Quarantine Data-in-Motion

action” on page 1811.

Redact Data-in-Motion The Redact Data-in-Motion action redacts the

sensitive data.

See “Configuring the Redact Data-in-Motion action”

on page 1812.

Symantec Data Loss Prevention provides two types of policy response rules: Automated and
Smart.
The detection server that reports a policy violation executes Automated Response rules. Users
such as incident remediators execute Smart Response rules on demand from the Enforce
Server administration console.
See “About recommended roles for your organization” on page 111.

Automated Response rules When a policy violation occurs, the detection server automatically executes
response rule actions.

See “About Automated Response rules” on page 1751.

Smart Response rules When a policy violation occurs, an authorized user manually triggers the
response rule.

See “About Smart Response rules” on page 1751.

See “About response rule actions” on page 1738.

 See “Implementing response rules” on page 1758.

The system executes Automated Response rules when the detection engine reports a policy
violation. However, if you implement a response rule condition, the condition must be met for
the system to execute the response rule. Conditions let you control the automated execution
of response rule actions.
See “About response rule conditions” on page 1752.
For example, the system can automatically block certain policy violating actions, such as the
attempted transfer of high value customer data or sensitive design documents. Or, the system
can escalate an incident to a workflow management system for immediate attention. Or, you
can set a different severity level for an incident involving 1000 customer records than for one
involving only 10 records.
See “Implementing response rules” on page 1758.

Users execute Smart Response rules on demand in response to policy violations from the
Enforce Server administration console Incident Snapshot screen.
See “About response rule actions” on page 1738.
You create Smart Response rules for the situations that require human remediation. For
example, you might create a Smart response rule to dismiss false positive incidents. An incident
remediator can review the incident, identify the match as a false positive, and dismiss it.
See “About configuring Smart Response rules” on page 1764.
Only some response rules are available for manual execution.

Add Note Add a field to the incident record that the remediator can annotate at the
Incident Snapshot screen.

See “Configuring the Add Note action” on page 1782.

Log to a Syslog Server Log the incident to a syslog server for workflow remediation.

See “Configuring the Log to a Syslog Server action” on page 1785.

Quarantine Quarantine sensitive data in cloud applications.

Restore File Restore a previously quarantined cloud application file.

Send Email Notification Send an email you compose to recipients you specify.

See “Configuring the Send Email Notification action” on page 1786.

Server FlexResponse Execute a custom Server FlexResponse action.

See “Configuring the Server FlexResponse action” on page 1788.

This response rule action is available only if you deploy one or more
custom Server FlexResponse plug-ins to Symantec Data Loss Prevention.
See “Deploying a Server FlexResponse plug-in” on page 2143.

Set Status Set the incident status to the specified value.

See “Configuring the Set Status action” on page 1790.

Network Protect SharePoint Quarantine Quarantine sensitive data stored on a Microsoft SharePoint server.

See “Configuring the Network Protect: SharePoint Quarantine smart response

action” on page 1793.

Network Protect SharePoint Release Release sensitive files that were quarantined from a Microsoft SharePoint
from Quarantine server.

See “Configuring the Network Protect: SharePoint Release from Quarantine

smart response action” on page 1795.

See “Implementing response rules” on page 1758.

Response rule conditions are optional response rule components. Conditions define how and
when the system triggers response rule actions. Conditions give you multiple ways to prioritize
incoming incidents to focus remediation efforts and take appropriate response.
See “Implementing response rules” on page 1758.
Response rule conditions trigger action based on detection match criteria. For example, you
can configure a condition to trigger action for high severity incidents, certain types of incidents,
or after a specified number of incidents.
See “Configuring response rule conditions” on page 1764.
Conditions are not required. If a response rule does not declare a condition, the response rule
action always executes each time an incident occurs. If a condition is declared, it must be met
 for the action to trigger. If more than one condition is declared, all must be met for the system
to take action.
See “Configuring response rules” on page 1763.

Endpoint Location Triggers a response action when the endpoint is on or off the corporate network.

See “Configuring the Endpoint Location response condition” on page 1771.

Endpoint Device Triggers a response action when an event occurs on a configured endpoint
device.

See “Configuring the Endpoint Device response condition” on page 1772.

Incident Type Triggers a response action when the specified type of detection server reports
a match.
See “Configuring the Incident Type response condition” on page 1773.

Incident Match Count Triggers a response action when the volume of policy violations exceeds a
threshold or range.
See “Configuring the Incident Match Count response condition” on page 1774.

Protocol or Endpoint Monitoring Triggers a response action when an incident is detected on a specified network
communications protocol (such as HTTP) or endpoint destination (such as
CD/DVD).

See “Configuring the Protocol or Endpoint Monitoring response condition”

on page 1775.

Severity Triggers a response action when the policy violation is a certain severity level.

See “Configuring the Severity response condition” on page 1778.

A Symantec Data Loss Prevention server executes response rule actions according to a
system-defined prioritized order. You cannot modify the order of execution among response
rules of different types.
In all cases, when a server executes two or more different response rules for the same policy,
the higher priority response action takes precedence.
Consider the following example(s):
■ One endpoint response rule lets a user cancel an attempted file copy and another rule
blocks the attempt.
 The detection server blocks the file copy.
■ One network response rule action copies a file and another action quarantines it.
The detection server quarantines the file.
■ One network response rule action modifies the content of an email message and another
action blocks the transmission.
The detection server blocks the email transmission.
You cannot change the priority execution order for different response rule action types. But,
you can modify the order of execution for the same type of response rule action with conflicting
instructions.
See “Modifying response rule ordering” on page 1769.

Endpoint Prevent: Block See “Configuring the Endpoint Prevent: Block action”
on page 1817.

Endpoint Prevent: Encrypt See “Configuring the Endpoint Prevent: Encrypt action”
on page 1821.

Endpoint Prevent: User Cancel See “Configuring the Endpoint Prevent: User Cancel action”
on page 1828.

Endpoint: FlexResponse See “Configuring the Endpoint: FlexResponse action”

on page 1813.

Endpoint Prevent: Notify See “Configuring the Endpoint Prevent: Notify action”
on page 1825.

Endpoint Discover: Quarantine File See “Configuring the Endpoint Discover: Quarantine File action”
on page 1815.

All: Limit Incident Data Retention See “Configuring the Limit Incident Data Retention action”
on page 1783.

Network Prevent: Block SMTP Message See “Configuring the Network Prevent: Block SMTP Message
action” on page 1832.

Network Prevent: Modify SMTP See “Configuring the Network Prevent: Modify SMTP Message
Message action” on page 1833.

Network Prevent for Web: Remove See “Configuring the Network Prevent for Web: Remove
HTTP/HTTPS Content HTTP/S Content action” on page 1835.
Network Prevent for Web: Block See “Configuring the Network Prevent for Web: Block HTTP/S
HTTP/HTTPS action” on page 1831.

Network Prevent for Web: Block FTP See “Configuring the Network Prevent for Web: Block FTP
Request Request action” on page 1831.

Network Protect: Quarantine File See “Configuring the Network Protect: Quarantine File action”
on page 1837.

Network Protect: Encrypt File See “Configuring the Network Protect: Encrypt File action”
on page 1838.

Network Protect: Copy File See “Configuring the Network Protect: Copy File action”
on page 1836.

All: Set Status See “Configuring the Set Status action” on page 1790.

All: Set Attribute See “Configuring the Set Attribute action” on page 1789.

All: Add Note See “Configuring the Add Note action” on page 1782.

All: Log to a Syslog Server See “Configuring the Log to a Syslog Server action” on page 1785.

All: Send Email Notification See “Configuring the Send Email Notification action”
on page 1786.

Cloud Storage: Add Visual Tag See “Configuring the Cloud Storage: Add Visual Tag action”
on page 1791.

Cloud Storage: Quarantine See “Configuring the Cloud Storage: Quarantine action”
on page 1791.

Server FlexResponse See “Configuring the Server FlexResponse action” on page 1788.
Server FlexResponse actions that are part of Automated
Response rules execute on the Enforce Server, rather than the
detection server.

Cloud Applications and API appliance See “Configuring the Block Data-in-Motion action” on page 1808.
(Data-in-Motion): Block Data-in-Motion

Cloud Applications and API appliance See “Configuring the Redact Data-in-Motion action” on page 1812.
(Data-in-Motion): Redact Data-in-Motion

Cloud Applications and API appliance See “Configuring the Encrypt Data-in-Motion action”
(Data-in-Motion): Encrypt Data-in-Motion on page 1810.
Cloud Applications and API appliance See “Configuring the Quarantine Data-in-Motion action”
(Data-in-Motion): Quarantine on page 1811.
Data-in-Motion

Cloud Applications and API appliance See “Configuring the Perform DRM on Data-in-Motion action”
(Data-in-Motion): Perform DRM on on page 1810.
Data-in-Motion

Cloud Applications and API appliance See “Configuring the Custom Action on Data-in-Motion action”
(Data-in-Motion): Custom Action on on page 1809.
Data-in-Motion

Cloud Applications and API appliance See “Configuring the Encrypt Data-at-Rest action” on page 1799.
(Data-at-Rest): Encrypt Data-at-Rest

Cloud Applications and API appliance See “Configuring the Delete Data-at-Rest action” on page 1799.
(Data-at-Rest): Delete Data-at-Rest

Cloud Applications and API appliance See “Configuring the Quarantine Data-at-Rest action”
(Data-at-Rest): Quarantine Data-at-Rest on page 1801.

Cloud Applications and API appliance See “Configuring the Tag Data-at-Rest action” on page 1802.
(Data-at-Rest): Tag Data-at-Rest

Cloud Applications and API appliance See “Configuring the Perform DRM on Data-at-Rest action”
(Data-at-Rest): Perform DRM on on page 1800.
Data-at-Rest

Cloud Applications and API appliance See “Configuring the Remove Shared Links in Data-at-Rest
(Data-at-Rest): Break Links in action” on page 1802.
Data-at-Rest

Cloud Applications and API appliance See “Configuring the Custom Action on Data-at-Rest action”
(Data-at-Rest): Custom Action on on page 1798.
Data-at-Rest

Cloud Applications and API appliance See “Configuring the Set File Access to 'All Read' action”
(Additional Data-at-Rest Actions): Set on page 1806.
File Access to 'All Read'

Cloud Applications and API appliance See “Configuring the Prevent download, copy, print action”
(Additional Data-at-Rest Actions): on page 1803.
Prevent download, copy, print
Cloud Applications and API appliance See “Configuring the Set File Access to 'Internal Read' action”
(Additional Data-at-Rest Actions): Set on page 1807.
File Access to 'Internal Read'

Cloud Applications and API appliance See “Configuring the Set File Access to 'Internal Edit'”
(Additional Data-at-Rest Actions): Set on page 1806.
File Access to 'Internal Edit'

Cloud Applications and API appliance See “Configuring the Set Collaborator Access to 'Read' action”
(Additional Data-at-Rest Actions): Set on page 1805.
Collaborator Access to 'Read'

Cloud Applications and API appliance See “Configuring the Set Collaborator Access to 'Edit' action”
(Additional Data-at-Rest Actions): Set on page 1804.
Collaborator Access to 'Edit'

Cloud Applications and API appliance See “Configuring the Remove Collaborator Access action”
(Additional Data-at-Rest Actions): on page 1804.
Remove Collaborator Access

Cloud Applications and API appliance See “Configuring the Set Collaborator Access to 'Preview'
(Additional Data-at-Rest Actions): Set action” on page 1805.
Collaborator Access to 'Preview'

Cloud Applications and API appliance See “Configuring the Add two-factor authentication action”
(Data-in-Motion): Add two-factor on page 1808.
authentication

See “Implementing response rules” on page 1758.

See “Manage response rules” on page 1761.

To manage and create response rules, you must be assigned to a role with response rule
authoring privileges. To add a response rule to a policy, you must have policy authoring
privileges.
See “Policy authoring privileges” on page 375.
For business reasons, you may want to grant response rule authoring and policy authoring
privileges to the same role. Or, you may want to keep these roles separate.
See “About recommended roles for your organization” on page 111.
 If you log on to the system as a user without response rule authoring privileges, the Manage
> Policies > Response Rules screen is not available.
See “About role-based access control” on page 109.

You define response rules independent of policies.

See “About response rules” on page 1738.
You must have response rule authoring privileges to create and manage response rules.
See “About response rule authoring privileges” on page 1757.

1 Review the available response rules. The Manage > Policies > Response Rules screen displays
all configured response rules.

See “Manage response rules” on page 1761.

The solution pack for your system provides configured

response rules. You can use these response rules in your
policies as they exist, or you can modify them.

See “Solution packs” on page 372.

2 Decide the type of response rule to Decide the type of response rules based on your business
implement: Smart, Automated, both. requirements.

See “About response rule execution types” on page 1750.

3 Determine the type of actions you want to See “About response rule conditions” on page 1752.
implement and any triggering conditions.
See “About response rule actions” on page 1738.

4 Understand the order of precedence among See “About response rule action execution priority”
response rule actions of different and the on page 1753.
same types.
See “Modifying response rule ordering” on page 1769.
5 Integrate the Enforce Server with an external Some response rules may require integration with external
system (if required for the response rule). systems.
These may include:

■ A SIEM system for the Log to a Syslog Server response

rule.
■ An SMTP email server for the Send Email Notification
response rule
■ A Web proxy host for Network Prevent for Web response
rules.
■ An MTA for Network Prevent for Email response rules.

6 Add a new response rule. See “Adding a new response rule” on page 1762.

7 Configure response rules. See “Configuring response rules” on page 1763.

8 Configure one or more response rule See “Configuring response rule conditions” on page 1764.
conditions (optional).

9 Configure one or more response rule actions You must define at least one action for a valid response rule.
(required).
See “Configuring response rule actions” on page 1765.

The action executes when a policy violation is reported or

when a response rule condition is matched.

10 Add response rules to policies. You must have policy authoring privileges to add response
rules to policies.

See “Adding an automated response rule to a policy”

on page 442.

When implementing response rules, consider the following:

■ Response rules are not required for policy execution. In general it is best to implement and
fine-tune your policy rules and exceptions before you implement response rules. Once you
achieve the desired policy detection results, you can then implement and refine response
rules.
■ Response rules require at lease one rule action; a condition is optional. If you do not
implement a condition, the action always executes when an incident is reported. If you
configure more than one response rule condition, all conditions must match for the response
rule action to trigger.
 See “About response rule actions” on page 1738.
■ Response rule conditions are derived from policy rules. Understand the type of rule and
exception conditions that the policy implements when you configure response rule conditions.
The system evaluates the response rule condition based on how the policy rule counts
matches.
See “Policy matching conditions” on page 386.
■ The system displays only the response rule name for policy authors to select when they
add response rules to policies. Be sure to provide a descriptive name that helps policy
authors identify the purpose of the response rule.
See “Configuring policies” on page 413.
■ You cannot combine an Endpoint Prevent: Notify or Endpoint Prevent: Block response rule
action with EDM, IDM, or DGM detection methods. If you do, the system displays a warning
for the policy that it is misconfigured.
See “Manage and add policies” on page 432.
■ If you combine multiple response rules in a single policy, make sure that you understand
the order of precedence among response rules.
See “About response rule action execution priority” on page 1753.
■ Use Smart Response rules only where it is appropriate for human intervention.
See “About configuring Smart Response rules” on page 1764.
■ When sensitive files are encrypted using Symantec Information Centric Encryption, the
original file is replaced with an HTML file of the same name. You must update all existing
links and references so that they point to the new HTML file.
■ Microsoft SharePoint enables users to upload HTML files that are no larger than 256 MB
in size. To ensure that sensitive files in SharePoint can be encrypted successfully, do not
upload files that are 256 MB in size or greater.
See “Configuring the Server FlexResponse action” on page 1788.
■ If you configure multiple Server FlexResponse response rule actions for Microsoft SharePoint
scan targets, the response rule actions could be executed in order of response rule action
priority.
See “About response rule action execution priority” on page 1753.