Create incident response option rules
Create the incident response option rules that end user or analyst can use while responding to an incident.
Before you begin
- sn_dlir.admin - Create, edit, and delete.
- sn_dlir.analyst and sn_dlir.analyst_read - View (read-only).
About this task
- Assessment Complete
- Deleted Content
- Deleted File
- Encrypted File
- Masked Content
- Report false positive
- Report wrong owner
- Required for Business Process
- Reviewed Entitlements
For example, let's say that an end user reports a DLP incident as a false positive. The state for this incident is then automatically marked as closed because the target state that is configured by you is closed.
Procedure
-
On the form, fill in the fields.
Table 1. Incident Response Option Rules form Field Description Name Name of the incident response option. Active Option to indicate whether the incident response option is active. Execution order Priority of the incident response option. This field indicates the order in which the incident response options are executed when two or more incident response options share the triggering conditions. The incident response option with the lowest number has the highest priority.
To set the order of operation, enter a value. For example, 100, 200, or any other number.
The default is 100.
Description Unique description for this incident response option. Default target state The default target state that you configured. Condition Conditions in the condition builder. These conditions are based on the DLP incident table. To build a condition for the incident response options, select any of the incident fields. Use the lists and fields of the conditions builder to set the filters for the first row.
To add more conditions, click AND or OR:- If AND is selected, all conditions must be matched.
- If OR is selected, either condition can be matched.
To set a second filter condition, click New Criteria.
Note:The conditions in the condition builder are case sensitive.The following example shows the end-user action configuration for an endpoint. The condition requires the scan source to be an endpoint file system that then triggers this end-user action configuration. The mapping shows that the report wrong owner, report false positive, and deleted file are the response options available to the end user.Figure 1. Incident Response Option Rule -
On the form, fill in the fields.
Table 2. Response Option Mapping form Response Option Rule Name of the incident response option rule. For example, SharePoint implies that the scan source is SharePoint. You can either enter the name of the incident response or look up using search. Response Option Option to select the response option. You can either enter the response option or look up using search. Target State The target state of the DLP incident after the end user selects the appropriate action. Note:- The Target State field will appear only when you select Response Option which is of Type: Basic. For more information on how the target state types are configured, see Configure response option for your DLP incidents.
- When a Response Option which is of Type: Advanced is selected, you will not be able to set the Target State and will be hidden. The Target State will be assigned based on the custom state that is configured from the flow designer sub flow.
Show response options for Option to determine the user roles to show the response options for. You can choose from Analyst, End user, and Escalated Analyst Reviewers by using the unlock option. You are allowed to choose one or all the roles.
Figure 2. Response Option Mapping Action