Response Actions

Response Actions are reactive operations that take place when a policy triggers an incident. The actions allow admins to manage the violations and what action to take. By default, no Response Actions are configured for any policy automatically. There are some Response Actions that can be used for any platform, and several that are used based on the platform(s) selected in the policy configuration.

Response Actions by Platform

Global

  • Delay Next Response Action- Inserts a delay between two response actions configurable by days, hours and minutes. More than one delay can be used in a response action flow.
  • Incident Status Update- Changes the Cloudlock incident status to In Progress, Dismissed, or Resolved. *

Where should I put Incident Status Update in my response action flow?

Incident Status Update should only be used as the last in a series of response actions. When the status is changed to Dismissed or Resolved no further actions are taken and thus the workflow would end.

  • Notify Admin by Email- Sends an email to the administrator(s) specified in the response action settings. The notification can be send to multiple email addresses and can be send immediately after the incident occurs (within the hour) or in the daily digest of incidents.
  • Notify End User by Email- Sends an email to the end user who triggered the incident. The notification can also be send to specific email addresses listed. A template of the notification can be customized with a company logo or header and a specific message regarding the incident. The footer gives the option to allow the end user to reply to email address regarding the incident as well.

Box

  • Quarantine Users files- Moves the file to a Quarantine folder only accessible to the Box admins.
    • The box admin can add other users to the Quarantine folder access list
    • The Quarantine folder is accessible by the admins in the Content Manager section of the Box Admin Console
    • The Box admin cab approve the file to make it available, or reject the file which deletes it.
  • Revoke File Share- Expires the URL of the file shared.

Notifying End Users of Quarantined Files

No notification is automatically sent out when a user file is quarantines. It is recommended that this response action coincide with a Notify End User by Email response action (when appropriate) to inform the end user of the violation and quarantine.

Dropbox

  • Quarantine Users files- Moves the file to a Quarantine folder only accessible to the Dropbox admins.
  • Revoke File Share- Revokes access to all users (except the owner) and expires any file share URL.

Google Drive

  • Copy File- Copies the file which violated to a specified owner and folder.
  • Disable download, print and copy- Disables the ability for commenters and viewers to download, print and copy a file.
  • Revoke Sharing- Revokes access to the file
  • Transfer Ownership- Allows the admin to transfer ownership of the file to a specified owner and folder.

Google Sites

  • Revoke Sharing- Revokes sharing to the site

Office365

  • Remove Collaborators- Removes all users as collaborators on the file.
  • Revoke File Share- Expires the public share URL.

Okta

  • Add User to Group- Adds the user who violated the policy to a specified Okta group.

Salesforce

Transaction Security- Blocks the export for 24 hours including accounts, contacts, cases, leads and opportunities.
Flag For Community Moderator- Flags chatter or files for the Salesforce community moderator.
Selective Encryption- Encrypts fields on objects

Salesforce Response Actions

Please Note:

  • Flag for Community Moderator and Selective Encryption can only be used in a policy where Salesforce is the only platform selected for monitoring
  • These two response actions cannot be used together but can be used with Transaction Security

ServiceNow

  • Assign to Group- Assigns the incident to a designated ServiceNow Group for review.

  • Assign to User- Assigns the incident to a specified ServiceNow user for review.

  • Quarantine and Selective Encryption- Quarantines Journal Entries, Table Fields or Files with the option to encrypt the asset. The original content is replaced with a customized message and reason for the quarantine. Table Fields and File quarantines also have the option to add a work note.

Slack (Enterprise)

  • Direct Message Admin- Sends a customizable message in Slack to the specified admin regarding the incident.
  • Direct Message User- Sends a message in Slack to the user who triggers the policy. The message is customizable.
  • Quarantine Content- message that caused the violation is replaced with a message created in the Response Actions settings.

Webex Teams

  • Delete Message and/or File- Deletes a message or attachment with sensitive information (according ti the policy's configuration.)

  • Notify Admin via Message- Sends a Webex Teams customizable message to specified users when an incident is triggered.

  • Notify User via Message- Sends a customizable message to the user that triggered the incident via Webex Teams.