Skip to main content
Skyhigh Security

Sanctioned DLP Policy Response Actions

An action taken when a policy is triggered is referred to as a response action. By default, each policy creates an incident that appears in Skyhigh CASB. If an event, message, or document triggers more than one policy, an incident is generated for each corresponding policy. Responses to the document reflect more restrictive policies. For more information, see DLP Policy Incident Statuses.

Response Actions can be conditionally executed depending on the severity of the Rule Group that was triggered.

Legend:  accept.png Response action supported   remove.png  Response action not supported 

 

API Actions

Action

Description

      Supported in IaaS and SaaS DLP

Incident

Incidents are generated by default

accept.png 

Quarantine

 

Quarantines the file by placing it in the “Quarantine” folder in an administrator account and leaves a tombstone file. An email might be sent to the user if configured to do so.

               

             accept.png             

                                                                                                               

Delete

Deletes the file and leaves a tombstone file. An email might be sent to the user if configured to do so. 

    accept.png     

                                              

Remove Link

Prevents outside collaborators from accessing the shared link. The linked file or folder is not affected.

 accept.png 

Apply Classification Labels Applies a Classification label to a file in Box, AIP,  AWS, GCP, or SharePoint. 

 accept.png

Block Email Blocks the email from being delivered to the recipient.  Leaves the email in the sender's Sent Messages folder.  An email might be sent to the user if configured to do so.  

accept.png

Encrypt

Deletes the file that triggers the encrypt response and replaces it with an encrypted version. A file can only be decrypted through our cloud-hosted reverse proxy.

accept.png

Set View Only Permissions for Modifies the permission of a share/collaboration event within the service to View Only. This action only takes effect when there are User Action rules defined in the policy.

accept.png

Set Edit Permissions for Modifies the permission of a share/collaboration event within the service to the Editor. This action only takes effect when there are User Action rules defined in the policy.

accept.png

Revoke Sharing for Modifies the permission of a share/collaboration event within the service to None, or Revoke Sharing. This action only takes effect when there are User Action rules defined in the policy.

accept.png

Send Bot Notification Sends an in-app notification, from a bot registered by Skyhigh CASB to the user triggering the DLP rule.

accept.png

User Bot Notification Sends an in-app notification to the user interacting with the bot.

accept.png

Apply DRM Applies DRM (Digital Rights Management) protection to files with sensitive content. accept.png
Add Email Header Adds an extra header to the email before sending it out in inline mode. The user creates a header by inputting a key-value pair (<key>, <value>). These headers are added to the email. If the key specified in the policy is already present in the header, the value specified in the policy is appended to the email header.

 

accept.png

User Email Notification

Sends a predefined email to the user triggering the DLP rule with details regarding the policy violation.

accept.png

Send Email Notification to Sends an email to the specified user regarding the policy violation

accept.png

 

 

Reverse Proxy Actions

Action

Description

Supported in IaaS and SaaS DLP

Incident

Incidents are generated by default.

                                         accept.png
Apply Classifications Applies AIP Classification to a file.                                          accept.png
Apply DRM Applies DRM (Digital Rights Management) encryption to files with sensitive data such as Ionic/Seclore.                                          accept.png
User Email Notification Send an email notification to the specified user regarding the violation.                                          accept.png

Send Email Notification to

Sends an email to a predefined address or distribution list that contains details regarding the anomalous action.

                                         accept.png

Block Transfer

Prevent the transmission of the file from within your network to Box.

                                         accept.png

Encrypt

Encrypts the file inline via the Reverse Proxy.  This requires the Reverse Proxy to decrypt the download file.

                                         accept.png

 

NOTE: Reverse Proxy does not support Data Classifications and only Data Identifiers are supported.

Lightning Link Actions

Action Description   Supported in IaaS and SaaS DLP

Incident

Incidents are generated by default.

                                        accept.png

Block Block the collaboration action on a file or folder.                                         accept.png
Send Email Notification to Send an email to a user or list of users (admins) regarding the anomalous actions.                                         accept.png

Response Action Precedence

The following table describes the precedence order of Response Actions with weightage to resolve conflicts. 

Response Action Precedence
Block 1
Modify Permissions to None 1
Modify Permissions to View Only 2
Modify Permissions to Edit Only 3
Apply DRM 4
Quarantine 4
Delete 5
Remove Shared Link 6
Expire Link 6
Encrypt 7
Add Email Header 7
Email Notification 8
Send to On-Prem DLP 9
Forward to Malware Scan 9
User Email Notification 10
User Bot Notification 11
Send Bot Notification 11
Apply Document Tag 11
Apply Classifications to Tags 11
Apply AIP Classification 11
Apply Box Security Classification 11
Apply Titus Classification 11
Incident  12
Apply Classification 12
Send to SNS Topic 13
Send to SQS Queue 14
Scan Unsecured Resources 15
Remove unrestricted access 16
Enable AES 256 encryption 17
Remove public read access 18
Remove public permissions 19
Remove unrestricted access from the network security group 19
Remove public access from the storage account container 21
Remove unrestricted access from firewall rules 22
Remove public access from cloud storage buckets 23
Enable configuration at the global level 24
Disable configuration at the global level 25
Modify configuration at the global level 26
Modify password configuration for the device 27
Enable encryption for device 28
Enable antivirus and firewall protection for the device 29
Block Device 30
Configure Tenant Admin Settings 31
Save Evidence 32
  • Was this article helpful?