DLP default configuration settings

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read

    • Define the default configuration settings for Data Loss Prevention Incident Response (DLP IR) incidents to identify and set up the incident notification and incident assignment preferences for your end users.

    Before you begin

    Role required:
    • sn_dlir.admin - Create, edit, and delete.
    • sn_dlir.analyst and sn_dlir.analyst_read - View (read-only).

    About this task

    You can use this module to define the default configuration settings when the core assignment rules and identifier rules are exhausted and unable to match to a condition or user. You can also define and reapply End user lookup rules and Assignment rules to existing Active DLP incidents.

    The end user incident notification enables you to specify the frequency at which email notifications are sent to your end users. For example, you can set up notification preferences to accumulate incidents and to send an email digest once a week. By assigning an incident, you can specify which group you initially assign the DLP incidents to. You can also specify how the end users are further identified by the DLP operations team.

    For example, let's say that a user has stored credit card information in a file on a network. When the third-party DLP integration product creates an incident for a sensitive data policy violation, the incident data that the ServiceNow AI Platform DLP ingests would contain information about the end user. You would then be able to assign the incident to the right end user.

    Procedure

    1. Navigate to All > DLP Administration > Default Configuration.
      Figure 1. Configure DLP policies
      Configure DLP Incident Response policies to set up the notifications for end users
    2. On the form, fill in the fields.
      Table 1. DLP Default Configuration form
      Configuration Name Field Description
      End User Incident Notification Notification Period (days) Define the number of days after which an email notification should be sent to the end user. The number of days must be between 1–60 days.
      Automatically update parent state based on cloned/child incidents Option to automatically update the parent state incident based on the cloned or child incidents.
      Incident Assignment End User Identifier Specify the field to be used from Incident data to identify the end user. Possibles values are the following:
      • Data owner email
      • Destination
      • File created by
      • File modified by
      • File owner
      • FTP user name
      • Sender
      Reapply End User Lookup Rules Behavior When reapply option is chosen for end user lookup rules Option to reapply End user lookup rules to existing Active DLP incidents. You can select one of the following option to reapply:
      • Update the End user value when the field is empty: Updates the existing active DLP incidents' End user value if that field is empty.
      • Update the End user value: Updates the existing active DLP incidents' End user value.
      • Update the End user and Assigned to values when both fields are empty: Updates the existing active DLP incidents' End user and Assigned to values if both fields are empty.
        Note:
        If this option is selected, then the Update the Assigned to value when the field is empty option gets disabled automatically in the Reapply Assignment Rules Behavior section as it's applicable for both.
      • Update the End user and Assigned to values for all the active DLP incidents: Updates the End user and Assigned to values for all active DLP incidents.
        Note:
        If this option is selected, then the Update the Assigned to value for all the active DLP incidents option gets disabled automatically in the Reapply Assignment Rules Behavior section as it's applicable for both.
      Reapply Assignment Rules Behavior When reapply option is chosen for assignment rules Option to reapply assignment rules to existing Active DLP incidents. You can select one of the following option to reapply:
      • Update the Assigned to value when the field is empty.
      • Update the Assigned to value for all the active DLP incidents.
    3. Select the Default Assignment Group from the related list section where all the DLP incidents are assigned to.
      Click Edit to add the user group. When you click Edit from the related list section and select an item from the Collections columns and then add that selected assignee to the Group columns in the Edit Members page, and save the list.
      Note:
      You can only view and select groups that have been assigned with the sn_dlir.analyst role from the related list. You can only select one group.
    4. Click Save.