The Umbrella User Guide Developer Hub

Welcome to the Umbrella User Guide developer hub. You'll find comprehensive guides and documentation to help you start working with Umbrella User Guide as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Add a SaaS API Rule to the Data Loss Prevention Policy

Configure a SaaS API Rule to set the criteria as to what triggers the scanning. As files in the selected tenant are scanned upon content change and context (sharing) change, Umbrella assesses the file against this rule’s criteria. If a match is made, this rule’s action is immediately enforced. If Umbrella detects a violation, the offending file is listed in the Data Loss Prevention Report.

  1. Navigate to Policies > Management > Data Loss Prevention Policy. The page displays a list of all Real Time and SaaS API Rules created.
  2. From the Add Rule drop-down, select SaaS API Rule.
  1. In the Add New SaaS API Rule page, enter a meaningful Rule Name and Description. Select a Severity value from the drop-down based on the risk involved or importance within the ruleset.
  1. Select Data Classifications to add them to this rule. Hover over Preview to view Data Identifiers.

  2. Choose where you would like this rule to search for these data classifications.

    i. Content- Searches only the content of files for the selected data classifications. This is the default option.
    ii. File Name- Searches only file names for the selected data classifications.
    iii. Content and File Name- Searches content and file names for the selected data classifications. Both content and file name do not need to match for the rule to apply, only one or the other.

Note: Choosing Content, File Name, or Content and File Name refers to scanning file uploads for the selected data classifications.

  1. Add up to 10 case-sensitive file label names to apply to this rule. The rule will search for any of the configured file label names in the value of the files' document properties. This includes Microsoft Office Document Properties, Microsoft Office Sensitivity Labels, and Adobe PDF Document Properties. File uploads to Confluence and Jira are not scanned for file labels.

Umbrella currently supports the detection of Microsoft sensitivity labels in the file properties’ values of the inspected file for Microsoft Word, Excel, PowerPoint, and .pdf files. Ensure you configure the rule with the name of the sensitivity labels, not the Display Names.

Umbrella supports Google labels. For more information, refer to Google Workspace Learning Center and search for Add labels to files in Google Drive.

  1. Under Platform, select one platform and tenant to this rule.
  1. Select an option under File Owners to define the scope of the processed files.
    i. Select All File Owners to process the files of all owners.
    ii. Select Specific File Owners to process the files of specified owners. Enter the owners' email addresses.
  1. Optionally select the file sharing permissions to consider when processing files to search for data violations.

    • Shared Publicly- Accessible to all users with the link to the file.
    • Shared with External Users- Shared with users who do not belong to the authorized domains.
    • Domain-wide Share- Shared with all users in a domain.
    • Shared with Internal Users- Shared with users who belong to the authorized domains.
    • Shared with Specific Users- Shared with specific users by their email addresses.

Note:

  1. A DLP rule can be configured with either Data Classifications, File Labels or both. Exposure is an optional criterion.
  2. When a DLP rule is configured with all 3 criteria, then a DLP event is raised when any of the selected Data Classifications and when any of the configured file labels are detected in the inspected file and when the file’s permissions match any of the selected exposure settings.
  1. From the Action drop-down list, choose Monitor, Quarantine, Delete or Revoke Access.
    • Monitor- Detects and logs a DLP event for every modified file violating this rule’s criteria
    • Quarantine- Isolates a file that violates the rule criteria to the quarantine folder
    • Delete- Permanently deletes when a change is detected that violates the rule criteria
    • Revoke Access- Removes public link, all external or internal users, and any share permission within the entire organization. This action also removes the file owner and transfers the ownership to the selected user.

a. Choose from the following options if Google Drive is selected as the Platform.

  • Remove public link: Removes any file link that has public exposure.
  • Remove share exclusively with internal users: Removes all internal users of files that were shared with few specific internal users.
  • Remove share with any external user: Removes all external users. (External users are not part of the organization domain)
  • Remove specific shares: Entered email addresses or group names are removed.
  • Remove org-wide share link: Removes any share permission with the entire organization.
  • Remove owner: Removes the file owner and moves the ownership to a selected user.

b. Choose from the following options if Microsoft 365 is selected as the Platform.

  • Remove public link: Removes any file link that has public exposure.
  • Remove org-wide share link: Removes any share permission with the entire organization.

Note:

  1. The file identified as exposing sensitive data is moved to the Cisco_Quarantine/DLP folder Umbrella created in the root path of the Global Admin who authorised the tenant.
  2. In lieu of the quarantined file, a text file is left in the original location with the name filename.ppt_Cisco_Quarantined.txt explaining to the original File Owner that the file is identified as exposing sensitive data and for more information to contact their organization administrator.
  3. The user who authorises access to Umbrella will have access to the quarantine folder. All other accesses and collaborators are removed.
  4. Thus, it is recommended that the admin adds the relevant DLP Admins as additional collaborators to the folder.
  1. Click Save. All fields must have options selected to save.

Supported Applications < Add a SaaS API Rule to the Data Loss Prevention Policy > Discovery Scan

Updated 2 months ago

Add a SaaS API Rule to the Data Loss Prevention Policy


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.