Configure response option for your DLP incidents

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read

    • Use this feature to configure the type of response that an end user or analyst should perform.

    Before you begin

    The base system DLP Incident Response application provides the following response options:
    1. Assessment Complete
    2. Deleted Content
    3. Deleted File
    4. Encrypted File
    5. Masked Content
    6. Report false positive
    7. Report wrong owner
    8. Request email release from quarantine
      Note:
      This option is available for the DLP Microsoft Exchange records.
    9. Required for Business Process
    10. Reviewed Entitlements
    Role required:
    • sn_dlir.admin
    • sn_dlir.analyst and sn_dlir.analyst_read

    Procedure

    1. Navigate to All > DLP Administration > Response Options.
      By default, the base system provides two types of response option:
      1. Basic: A manual response option submitted by the user.
      2. Advanced: An automated response option triggers a flow designer sub flow when the user submits the response option.
    2. Click New.
    3. On the form, fill in the fields.
      Table 1. Response Option form of Type: Basic
      Field Description
      Name Enter the name of the incident response option.
      Type Option to select the response option type.
      Table 2. Response Option form of Type: Advanced
      Field Description
      Name Enter the name of the incident response option.
      Type Option to select the response option. By default, this field displays the following two types of options:
      • Basic: When you select this option while creating a new response option, you may have to add a response option name and the type.
      • Advanced: When you select this option, the following fields will be available for you to select:
        • Flow: Select the flow designer sub flow.
        • Requires MID Server: Select this check box if the selected flow uses the MID Server.
      Flow Select the required flow designer flow to activate the MID Application and MID Capability.
      When you are creating a sub flow for the response option, add the following sub flow inputs:
      1. Name:
        • dlp_incident
        • mid_server_capability
        • mid_server_application
      2. Type:
        • Reference (to DLP incident table)
        • Sys ID for both MID Server application and MID Server Capability
      Requires MID Server Option to determine that MID server configuration. By enabling the Requires MID Server checkbox MID Server Application and MID Server Capability fields you can configure the MID Application and MID Capability.
      Note:
      Based on the MID Server Application and MID Server Capability configuration and if any MID is up and running then only the Response Option will be visible in the workspace.
      MID Server Application Select the required MID Server Application from the drop down list.
      MID Server Capability Select the required MID Server Capability from the drop down list.
      Note:
      If there is no MID server available for the selected MID Server Capability, the response option will not be visible. If you want a specific MID server from the list then you have to configure the MID app and make it visible in the list, and then at least one MID server which is configured should be up and running from the selected mid applications and should have the selected MID Server Capability.
    4. Click Submit.
      Note:
      If you are creating an Advanced type of response option, then the Approval Rules related list will be populated for you to configure the approval rule for that new response option. For more information, see Create Approval Rules.
      Figure 1. Configure Response Option of Type: Advanced
      Configure Response Option