Sanctioned DLP Policy Response Actions
An action taken when a policy is triggered is referred to as a response action. By default, each policy creates an incident that appears in Skyhigh CASB. If an event, message, or document triggers more than one policy, an incident is generated for each corresponding policy. Responses to the document reflect more restrictive policies. For more information, see DLP Policy Incident Statuses.
Response Actions can be conditionally executed depending on the severity of the Rule Group that was triggered.
Legend: Response action supported Response action not supported |
API Actions
Action |
Description |
Supported in IaaS and SaaS DLP |
---|---|---|
Incident |
Incidents are generated by default |
|
Quarantine
|
Quarantines the file by placing it in the “Quarantine” folder in an administrator account and leaves a tombstone file. An email might be sent to the user if configured to do so. |
|
Delete |
Deletes the file and leaves a tombstone file. An email might be sent to the user if configured to do so. |
|
Remove Link |
Prevents outside collaborators from accessing the shared link. The linked file or folder is not affected. |
|
Apply Classification Labels | Applies a Classification label to a file in Box, AIP, AWS, GCP, or SharePoint. |
|
Block Email | Blocks the email from being delivered to the recipient. Leaves the email in the sender's Sent Messages folder. An email might be sent to the user if configured to do so. | |
Encrypt |
Deletes the file that triggers the encrypt response and replaces it with an encrypted version. A file can only be decrypted through our cloud-hosted reverse proxy. |
|
Set View Only Permissions for | Modifies the permission of a share/collaboration event within the service to View Only. This action only takes effect when there are User Action rules defined in the policy. | |
Set Edit Permissions for | Modifies the permission of a share/collaboration event within the service to the Editor. This action only takes effect when there are User Action rules defined in the policy. | |
Revoke Sharing for | Modifies the permission of a share/collaboration event within the service to None, or Revoke Sharing. This action only takes effect when there are User Action rules defined in the policy. | |
Send Bot Notification | Sends an in-app notification, from a bot registered by Skyhigh CASB to the user triggering the DLP rule. | |
User Bot Notification | Sends an in-app notification to the user interacting with the bot. | |
Apply DRM | Applies DRM (Digital Rights Management) protection to files with sensitive content. | |
Add Email Header | Adds an extra header to the email before sending it out in inline mode. The user creates a header by inputting a key-value pair (<key>, <value>). These headers are added to the email. If the key specified in the policy is already present in the header, the value specified in the policy is appended to the email header. |
|
User Email Notification |
Sends a predefined email to the user triggering the DLP rule with details regarding the policy violation. |
|
Send Email Notification to | Sends an email to the specified user regarding the policy violation |
Reverse Proxy Actions
Action |
Description |
Supported in IaaS and SaaS DLP |
---|---|---|
Incident |
Incidents are generated by default. |
|
Apply Classifications | Applies AIP Classification to a file. | |
Apply DRM | Applies DRM (Digital Rights Management) encryption to files with sensitive data such as Ionic/Seclore. | |
User Email Notification | Send an email notification to the specified user regarding the violation. | |
Send Email Notification to |
Sends an email to a predefined address or distribution list that contains details regarding the anomalous action. |
|
Block Transfer |
Prevent the transmission of the file from within your network to Box. |
|
Encrypt |
Encrypts the file inline via the Reverse Proxy. This requires the Reverse Proxy to decrypt the download file. |
|
NOTE: Reverse Proxy does not support Data Classifications and only Data Identifiers are supported.
Lightning Link Actions
Action | Description | Supported in IaaS and SaaS DLP |
---|---|---|
Incident |
Incidents are generated by default. |
|
Block | Block the collaboration action on a file or folder. | |
Send Email Notification to | Send an email to a user or list of users (admins) regarding the anomalous actions. |
Response Action Precedence
The following table describes the precedence order of Response Actions with weightage to resolve conflicts.
Response Action | Precedence |
---|---|
Block | 1 |
Modify Permissions to None | 1 |
Modify Permissions to View Only | 2 |
Modify Permissions to Edit Only | 3 |
Apply DRM | 4 |
Quarantine | 4 |
Delete | 5 |
Remove Shared Link | 6 |
Expire Link | 6 |
Encrypt | 7 |
Add Email Header | 7 |
Email Notification | 8 |
Send to On-Prem DLP | 9 |
Forward to Malware Scan | 9 |
User Email Notification | 10 |
User Bot Notification | 11 |
Send Bot Notification | 11 |
Apply Document Tag | 11 |
Apply Classifications to Tags | 11 |
Apply AIP Classification | 11 |
Apply Box Security Classification | 11 |
Apply Titus Classification | 11 |
Incident | 12 |
Apply Classification | 12 |
Send to SNS Topic | 13 |
Send to SQS Queue | 14 |
Scan Unsecured Resources | 15 |
Remove unrestricted access | 16 |
Enable AES 256 encryption | 17 |
Remove public read access | 18 |
Remove public permissions | 19 |
Remove unrestricted access from the network security group | 19 |
Remove public access from the storage account container | 21 |
Remove unrestricted access from firewall rules | 22 |
Remove public access from cloud storage buckets | 23 |
Enable configuration at the global level | 24 |
Disable configuration at the global level | 25 |
Modify configuration at the global level | 26 |
Modify password configuration for the device | 27 |
Enable encryption for device | 28 |
Enable antivirus and firewall protection for the device | 29 |
Block Device | 30 |
Configure Tenant Admin Settings | 31 |
Save Evidence | 32 |