Create and activate the assignment rules. Then, assign the Data Loss Prevention Incident Response (DLP IR) incidents to user groups, end users, managers, or user from incident.

Before you begin

Role required:
  • sn_dlir.admin - Create, edit, and delete.
  • sn_dlir.analyst and sn_dlir.analyst_read - View (read-only).

About this task

You can use assignment rules to assign DLP IR incidents to user groups, end users, or to managers. The assignment of the DLP incidents occur when the conditions in the assignment rule are met.

Procedure

  1. Navigate to All > DLP Administration > Assignment Rules.
  2. Click New.
  3. On the form, fill in the fields.
    Table 1. DLP Assignment Rule form
    FieldDescription
    Name Name for the assignment rule.
    Active Option to indicate whether the assignment rule is active.
    Execution order The assignment rule priority. This field indicates the order in which the assignment rules are executed when two or more rules share the triggering conditions.

    The assignment rule with the lowest number has the highest priority. To set the order of operation, enter a value. For example, 100, 200, 300, and so on.

    The default value is 100.
    Description Unique description for this assignment rule.
    Condition Conditions in the condition builder. These conditions are based on the DLP incident table. To build a condition for the assignment rule, select any of the incident fields.

    Use the lists and fields of the conditions builder to set the filters for the first row.

    To add more conditions, click AND or OR.
    • If AND is selected, all conditions must be matched.
    • If OR is selected, either condition can be matched.

    To set a second filter condition, click New Criteria.

    For example, assume you create a DLP assignment rule for an endpoint. You can specify that the condition scan source is an endpoint file system that must be met before assigning an incident.

    Note: The conditions in the condition builder are case sensitive.
    Assign to Assignment to either one of the following:
    • User group
    • End user
    • Manager
    • User from incident
    The assignment occurs when the conditions in the condition builder are met.
    User group Option to search and select a user group to assign the DLP incidents to. This field appears when User group is selected from the Assign to field.
    Note: You can only view and select groups that have been assigned with the sn_dlir.analyst role.
    End user Option to assign the DLP incident to the end user. The assignment occurs when the conditions in the condition builder are met.
    Assign using Manager fields Manager of the end user. This field appears when Manager is selected from the Assign to field.

    You can assign the DLP incidents to a particular manager by selecting one of the Manager fields, such as Last name, Email, City, Employee number.
    User Identifier The user identifier of the incident. This field appears when User from Incident is selected from the Assign to field. You can select an user identifier from the following:
    • Data owner email
    • Destination
    • File created by
    • File modified by
    • File owner
    • FTP user name
    • Sender
    • Custom user from incident
    Custom attribute Option to specify a custom attribute from the incident that has the reference to a user. This field appears only when the Custom User from Incident is selected from the User Identifier field.
    Attach Assessment Option to indicate whether you want to attach an assessment to the incident.
    Pre assessment response state Option to select which state that the incident should be in before the end user responds. It can also be a custom state.

    The default value is Pending assessment.
    Post assessment response state Option to select which state that the DLP incident should be in after the user responds.

    The default value is Assessment Completed.
    Advanced Advanced option to identify the end user. This field appears only when the Custom User from Incident is selected from the User Identifier field.

    You can use the script editor to customize and format the field values during the assignment rule creation to identify the end user. Then, you pick whom you want to assign the DLP incident to, which could be an End user or the End user's Manager.

    For example, you can use the email address field to identify the end user.
    The following example shows an assignment rule with the name Assign 'Medium' Priority Incident to End User. The condition builder requires the Scan Source to be Assign 'Medium' Priority Incident to End User, and the Assign to field is set to End user. Then, you can look up the 'Email' of the End user.
    Figure 1. DLP Assignment rule
    Create the assignment rules for your Data Loss Prevention Incident Response incidents
  4. Click Submit.
    You also have an option to select one or more assignment rules and reapply it on all existing DLP incidents.
  5. To reapply an assignment rule on all existing DLP incidents, click Reapply.