In the Response Action configuration you are given the option to drag as many actions as you choose into the workflow. The order the actions appear in the workflow is the order in which they will perform their operation. Each action must be completed before the next action begins.
Some Response Actions can experience a delay, typically with notification emails. If an email notification is set to send immediately, than the email is sent within the hour the incident is triggered. However, because daily digests are only sent once a day, if the notification is set to only send with a daily digest it may take up to 24 hours for the notification to be received. This can cause a delay in the actions following the notification as each action must be completed before the next one begins.
For example: An admin has configured the following Response Actions for a policy:
- Send Immediate End User Notification
- Send Admin Notification (daily digest)
- Revoke Sharing
The first Response Action is a notification to the end user and because it has been configured as immediate the notification will send within an hour of the incident triggering. The second Response Action is a notification to the admin through the daily digest. This will only send at the daily scheduled time the daily digest is sent. Depending on when the incident triggered, this notification could take up to 24 hours to send, which affects the third action: revoke sharing. The issue here is that if the file that violated the policy exposes sensitive data, the file is still exposed while waiting for the 2nd notification to process before it is revoked. In this case, if the admin prefers to receive only a daily digest of incident notifications than such actions that may take higher priority, such as revoking sharing, should come earlier in the workflow so as not to be delayed.
Are files that violated a policy still scanned during Response Action workflow?
Once workflow of Response Actions has begun, the file or folder which triggered the incident will not be rescanned, even if modifications are made, until the workflow is complete. The workflow can be terminated, however, if the incident status is changed to Dismissed or Resolved.
Updated about 4 years ago