Data Loss Prevention

There is a subset of individuals being monitored that we want to automatically change the incident status to a specific predefined value as soon as their endpoint incidents or network incidents are detected.  How can we do that?

If you already have a policy that is working well, here is one way you might go about it:

• Export the policy as a template, then create a new policy based on the template
• Add an Automated Response rule and give it a name
  • For Conditions, you may have to experiment to see what works best
    • For example, select Incident Type, Is Any Of, Endpoint and Network
  • For Actions, Set Status, Add Action
  • Choose the Status from the drop-down
• In the new policy created from the template, assign it to the appropriate Policy Group
  • Go to the Groups tab, Add Rule, Sender/User Matches Pattern
    • Give the rule a name and assign the appropriate severtiy
    • Enter the usernames of users to target
• Go to the Response tab and select the name of your Response Rule from the drop-down

Once saved, you should have a policy applied to specific users, to detect specific things, and sets the desired status when the policy rules are triggered.

This is great!  Thank You Ethan-M for the clear detailed steps.  

I would like to have 1 policy that defines certain detection rules that apply to everyone in the organization, and when the policy rules are triggered, everyone (except a subset of users) will have the default status "NEW" and the subset of users have a different status.  How can it be done without creating a new/seperate policy?  We currently have a very complex policy with several complex detection rules. 

Going to stay with my original answer as the easiest way towards your requirement. Automated response rules can't be used to target users. The Groups tab is where you get to be specific on sender/user matches pattern or sender/user matches a group. Creating a new policy from the template should keep your rules intact. Reponse rules don't carry over from templates, but that doesn't matter, you need a new one anyway. When importing, you might see an alert saying you already have a policy with the same name. Give it a new name and you should be good.

I agree with Ethan!

However why don't you exclude the subset of users from the original policy, duplicate it and add a condition to the new policy to specify only the specific users.

Thereby your rules would look like;

Rule 1 - Everyone - Except Subset - No Response Rules

Rule 2 - Only Subset - No exclusion - Response Rule to Change Status

Let me know thoughts!

Hello,

You can use different Severities to control how response rules are applied.

- Create a sender/recipient pattern with the users you want to "monitor" and change status; OR list the recipients/senders as detection criteria;

- In the policy, add the detection method (example: keywords) AND Send/Recipient pattern with severity "High"

- For other users, use severity "Medium".

Create an automated response rule where: if severity = High, then change status to (example) "Critical".

All other cases retain status "New".

Test it.

We have a similar situation for recipients that we consider as Partners.

Regards,

Paulo

Thank You Ethan again for your advice and ShadowLeaf for agreeing with Ethan.  I have tried the solution that both Ethan and ShadowLeaf suggested, and it worked wonderfully! 

Thanks to Paulo for a different approach.  I will try out your approach and will update everyone on my results. 

Paulo suggestion of using "Severity to control how responsed rules are applied" worked!  Thanks very much Paulo!

Great!

Glad to help :)

Regards,

Paulo