Create response due date rules
- UpdatedJul 31, 2025
- 4 minutes to read
- Zurich
- Security Operations
Set up the response due date rules to determine the time you want to give your end users to respond to the assigned Data Loss Prevention Incident Response (DLP IR) incidents.
Before you begin
- sn_dlir.admin - Create, edit, and delete.
- sn_dlir.analyst and sn_dlir.analyst_read - View (read-only).
About this task
- Manager
- Custom User from Incident
- User group
For example, when you escalate the overdue incident to a Manager, and you’ve specified a maximum of three levels of escalation. The first level of Manager gets notified first. If the incident is overdue again, then the second level of Manager gets notified, followed by the third level if the incident is still overdue. If the Manager has a Delegate, then the Manager has the option to assign the escalation or overdue incident to the Delegate.
You’re also provided with the ability to create multiple response due date rules.
Procedure
-
On the form, fill in the fields.
Table 1. Response Due Date Rule form Field Description Name Name of the response due date rule. Active Option to indicate whether the response due date rule is active. Due in (days) Number of due days. Due date counted from Start date that is used to calculate the due date. The due date can be calculated from either the first time that the user was notified about the incident, or from the incident assignment date. Notify before due date Option to notify the end user about the DLP incident before the due date. Notify on (days before due date) Number of days before the due date when the rule triggers a notification to the end user. Description Unique description for this response due date rule. Condition Conditions in the condition builder. These conditions are based on the DLP incident table. To build a condition for the response due date rule, select any of the incident fields. Use the lists and fields of the conditions builder to set the filters for the first row.
To add more conditions, click AND or OR.- If AND is selected, all conditions must be matched.
- If OR is selected, either condition can be matched.
To set a second filter condition, click New Criteria.
Note: The conditions in the condition builder are case sensitive.Escalate Option to escalate the DLP incident to someone if the response due date has been breached. For more information, see Add multiple users to access DLP incidents Escalate overdue incident to Option to specify if the incident should be escalated to a Manager, a Custom user, or a User group. This field appears only when the Escalate option is enabled.
Assign using Specify how a manager should be identified. This field appears only when Manager is selected from the Escalate overdue incident to field.
Maximum Escalation Levels Option to define the maximum number of escalation levels for a Manager, and a Custom user. As a Manager or Custom user, you can define any number of escalation levels. By default, three levels of escalation are provided.
- As a Manager, you can define any number of escalation levels by updating the value in this field.
- As a Custom user, you can use the + icon to define any number of escalation levels.
Custom attribute Option to specify a custom attribute from the incident that has the reference to a user. This field appears only when Custom User from Incident is selected from the Escalate overdue incident to field.
User group Option to search and select a user group to escalate DLP incidents to. This field appears only when User group is selected from the Escalate overdue incident to field.
Note: You can only view and select groups that have been assigned with the sn_dlir.analyst role.The following example shows the response due date rule to determine how much time you want to give your end users to respond to the assigned Data Loss Prevention Incident Response (DLP) incidents. After the end user is first notified, the response due date is in two days. The conditions builder shows that the Scan Source must match the Endpoint File System to proceed with creating the response due date. The escalation option is selected. The incident is escalated to the manager if the response due date is breached.Figure 1. Set up the response due date rules 
Related Content
- DLP default configuration settings
Define the default configuration settings for Data Loss Prevention Incident Response (DLP IR) incidents to identify and set up the incident notification and incident assignment preferences for your end users.
- Create end user lookup rules
You can create and configure end user lookup rules and assign the DLP incidents to the respective end users based on those rules.
- Create assignment rules
Use this section to create assignment rules. Then, assign the Data Loss Prevention Incident Response (DLP IR) incidents to user groups, end users, managers, or user from incident.
- Create incident consolidation rules
Create incident consolidation rule to consolidate multiple incidents of similar nature under one parent incident.
- Create Approval Rules
Create approval rules to take approval from various levels of approver users whenever an advanced type of response option is selected.
- Create user instructions templates
Create and manage user instructions template for DLP incidents to help the users understand the instructions involved incident resolution and the next steps involved in the resolution process.
- Create email templates
Create and manage the preconfigured email templates for sending notifications to your end users, user groups, or managers. With these templates, you can coach and communicate with your end users about the Data Loss Prevention Incident Response (DLP IR) incidents.
- Create a Data Loss Prevention Incident Response SLA trigger
Create a Data Loss Prevention Incident Response SLA trigger condition that enables a prompt and efficient response to an incident when triggered.
- Create a Data Loss Prevention Incident Response SLA definition
Create a Data Loss Prevention Incident Response SLA definition that outlines the conditions and duration for responding to data breaches. Establishing clear expectations and protocols helps ensure a swift response to incidents, minimizing potential damage and enhancing overall data protection strategies.
- Create assessments
Create and manage assessments to enable end users to respond to DLP incidents. You can use the assessments to gather information about the sensitive data exposed or leaked from the DLP incidents.
- Create incident response option rules
Create the incident response option rules that end user or analyst can use while responding to an incident.
- Create age chart configurations
Configure the age chart that appears in the Data Loss Prevention Incident Response (DLP IR) Ops portal. This chart shows the count of open incidents by the number of days.
- Create user delegate configurations
Prevent certain executives in the organization from receiving notifications about the incidents assigned or escalated to them.
- Create repeat offender identification rules
Create repeat offender identification rules to identify users who repeat the same issue multiple times.
- Create Additional Incident Data Fields
Create your Additional Incident Data Fields for the DLP incidents. You can create different types of Additional Incident Data Fields such as string, number, check box, choice, date and time, and use them in the DLP incident forms.
- DLP SLA Definition form
Field descriptions for the DLP SLA Definition form used to create an SLA record.
- Configure advanced settings
Configure the advanced settings so that you can determine the fields on the Incident for identifying the end users, among other capabilities.
- Monitor DLP Integration Run process
Track and monitor the ongoing ingestion or the integration run process. The integration run processes contains the statistics on how much the data was processed and the integration status.
- DLP Incident Access Restrictions
Manage the visibility of a particular DLP incident that contains sensitive information. You can use incident access restrictions to define who can access a particular DLP incident and restrict specific users or groups from accessing that incident.
- DLP Incidents Archival
The Data Loss Prevention Incident Response is provisioned with one archival rule in the base system for the DLP incident table. The related records are also added in the base system to the DLP incident archive rule.