Add a SaaS API Rule to the Data Loss Prevention Policy
Configure a SaaS API Rule to set the criteria as to what triggers the scanning. As files in the selected tenant are scanned upon content and/or context (sharing) change, Umbrella assesses the file against this rule’s criteria. In case of a rule violation, the rule's action automatically triggers. You may also trigger a manual response action from the Data Loss Prevention Report.
- Navigate to Policies > Management > Data Loss Prevention Policy. The page displays a list of all Real Time and SaaS API Rules created.
- From the Add Rule drop-down, select SaaS API Rule.
- In the Add New SaaS API Rule page, enter a meaningful Rule Name and Description. Select a Severity value from the drop-down based on the risk involved or importance within the ruleset. (Assigning severity values can help later on when you need to filter events in the Data Loss Prevention report.)
- Select where in scanned files you would like this rule to search for the data classifications that you choose
Content—(Default) Scans only the content of files for the selected data classifications.
File Name—Scans only file names for the selected data classifications.
Content and File Name—Scans content and file names for the selected data classifications. Both content and file name do not need to match for the rule to apply, only one or the other.Note: Choosing Content, File Name, or Content and File Name refers to scanning file uploads for the selected data classifications and configured file labels.
- Select Data Classifications to apply this rule; you can choose a data classification of your own making or a built-in data classification provided by Umbrella. (See Manage Data Classifications and Built-In Data Classifications.) Hover over PREVIEW to view data identifiers associated with each data classification.
- Add up to 10 case-sensitive file label names to apply to this rule. The rule will search for any of the configured file label names in the value of the files' document properties. This includes:
Microsoft Office Document Properties
Microsoft Office Sensitivity Labels
Adobe PDF Document Properties
File uploads to Confluence and Jira are not scanned for file labels.
Microsoft Sensitivity Labels
Umbrella currently supports the detection of Microsoft sensitivity labels in the file properties’ values of the inspected file for Microsoft Word, Excel, PowerPoint, and .pdf files. Ensure you configure the rule with the name of the sensitivity labels, not the Display Names.
- Under Platform, select one platform and tenant for this rule.
- Under Exposure, optionally select the file sharing permissions to consider when processing files to search for data violations:
- Shared Publicly- Accessible to all users with the link to the file.
- Domain-wide Share- Shared with all users in a domain.
- Shared with Internal Users- Shared with users who belong to the authorized domains.
- Shared with External Users- Shared with users who do not belong to the authorized domains.
- Shared with Specific Users- Shared with specific users by their email addresses.
The table below indicates which Exposure settings are available for each platform:
Shared Publicly | Domain-wide share | Shared with internal users | Shared with external users | Shared with specific users | |
---|---|---|---|---|---|
Microsoft Office 365 | ✓ | ✓ | ✓ | ✓ | ✓ |
✓ | ✓ | — | — | ✓ | |
Webex Teams | — | — | ✓ | ✓ | ✓ |
- A DLP rule can be configured with either Data Classifications, File Labels or both. Exposure is an optional criterion.
- When a DLP rule is configured with all 3 criteria, then a DLP event is raised when any of the selected Data Classifications and when any of the configured file labels are detected in the inspected file and when the file’s permissions match any of the selected exposure settings.
- From the Action drop-down list, choose Monitor, Quarantine, Delete or Revoke Access.
- Monitor- Detects and logs a DLP event for every modified file violating this rule’s criteria
- Quarantine- Isolates a file that violates the rule criteria to the quarantine folder and revokes all shares
- Delete- Permanently deletes when a change is detected that violates the rule criteria (This option is available only for Webex Teams, and applies for a violation within a post, as well as a violation within a file attached to a post.)
- Revoke Access- Removes public link, all external or internal users, and any share permission within the entire organization. This action also removes the file owner and transfers the ownership to the selected user.
The table below indicates which Actions settings are available for each platform:
Monitor | Quarantine | Delete | Revoke Access | |
---|---|---|---|---|
Microsoft Office 365 | ✓ | ✓ | — | ✓ |
✓ | ✓ | — | ✓ | |
Webex Teams | ✓ | — | ✓ | — |
If you choose Quarantine:
- The file identified as exposing sensitive data is moved to the Cisco_Quarantine/DLP folder Umbrella created in the root path of the Global Admin who authorized the tenant.
- In lieu of the quarantined file, a text file is left in the original location with the name filename.ppt_Quarantined.txt explaining to the original File Owner that the file is identified as exposing sensitive data and for more information to contact their organization administrator.
- The user who authorizes access to Umbrella will have access to the quarantine folder. All other accesses and collaborators are removed.
- Thus, we recommend that the admin add the relevant DLP Admins as additional collaborators to the folder.
- If you chose Revoke Access:
- If you chose Google Drive for the Platform, choose from the following options:
- Remove public link: Removes any file link that has public exposure.
- Remove share exclusively with internal users: Removes all internal users of files that were shared with few specific internal users.
- Remove share with any external user: Removes all external users. (External users are not part of the organization domain)
- Remove specific shares: Entered email addresses or group email addresses are removed.
- Remove org-wide share link: Removes any share permission with the entire organization.
- Remove owner: Removes the file owner and transfers ownership to a new email address.
- If you chose Microsoft 365 for the platform, choose from the following options:
- Remove public link: Removes any file link that has public exposure.
- Remove org-wide share link: Removes any share permission with the entire organization.
- Click Save. All fields must have options selected to save.
Supported Applications < Add a SaaS API Rule to the Data Loss Prevention Policy > Discovery Scan
Updated 2 months ago