Create an Endpoint DLP Data in Motion Policy Rule

1. Log in to Strata Cloud Manager.
2. Configure the Enterprise DLP match criteria to define custom sensitive data that you want to inspect for and block.

   1. Create custom data patterns to define your match criteria.

      Alternatively, you can use the predefined data patterns instead of creating custom data patterns.
   2. Create a data profile and add your data patterns.

      Alternatively, you can use the predefined data profiles instead of creating custom data profiles.
3. Select ManageConfigurationData Loss PreventionEndpoint DLP Policy and Add Policy.
4. Configure the Basic Information.

   1. For the Policy Type, select Data in Motion.
   2. Enter a descriptive Name for the Endpoint DLP policy rule.
   3. (Optional) Enter a Description to describe the Endpoint DLP policy rule.
   4. Select the Severity of the Enterprise DLP incident when sensitive data is moved between an endpoint and a peripheral device.
   5. Enable Policy is enabled by default and enables the Endpoint DLP policy rule after you save.

      Disable this setting if you don't want to immediately enable the Endpoint DLP policy rule after creation.
   6. Click Next to continue.
5. Configure the policy rule Classifiers to define the match criteria.

   1. Select the Data Profile that contains the match criteria you want to inspect for and block. You can select a predefined or custom data profile.
   2. Select the File Types you want the Endpoint DLP policy rule to apply to.

      You can select Any File Types (default) to inspect all supported file types moved between an endpoint and the peripheral device.
6. Configure the Scope to define which users and peripheral devices the policy rule applies to.

   For Enterprise DLP to take the configured Response action, both Users and Peripherals must be matched.

   1. Select the Users the policy rule applies to.

      • Any Users & Groups
        Create a peripheral control policy rule that applies to all users. Additionally, you can Exclude one or more users from the peripheral control policy rule.
      • Select Users & Groups
        Create a peripheral control policy rule that applies to specific users and groups. You can configure the policy rule to apply to either specific users or user groups, or to both.
        Include
        • Select Users—Select one or more specific users to which the rule applies.
        • Select Groups—Select one or more user groups to which the rule applies.
        Exclude—Select one or more users to exclude from the peripheral control policy group. You must select at least one user group in order to exclude one or more users.
   2. Select the Peripherals you want to inspect and block file movement to if sensitive data is detected.

      You can add USB devices, printers, and network shares in a single data in motion policy rule. The list of included devices for each type of peripheral device are independent of each other and can be configured as needed. For example, you can create a policy rule that includes no USB devices, all printers, and only specific network shares you selected.

      • Any (default)—Policy rule applies all USB, printer, or network share peripherals added to Enterprise DLP.
      • Select— Policy Rule applies only to the selected peripheral devices or peripheral groups.
      • None—Policy rule doesn't apply to any USB, printer, or network share peripherals added to Enterprise DLP.
   3. Click Next to continue.
7. Configure the Response to define the action Enterprise DLP takes when sensitive data is detected.

   • Action—Action Enterprise DLP takes if a User accesses a Peripheral device defined in the policy rule Scope.
     • Alert—Enterprise DLP generates a DLP incident but allows file movement from the endpoint to the peripheral.
     • Block—Enterprise DLP generates a DLP incident and blocks file movement from the endpoint to the peripheral.
   • Incident Assignee—The administrator the Enterprise DLP incident is assigned to if one is generated against the policy rule.
   • Email Notifications—Add additional administrators to send email notifications when an incident is generated against the policy rule.

   Click Next to continue.
8. Define the Evaluation Priority for the peripheral control policy rule in your Endpoint DLP policy rulebase.

   You can use the Priority Selection to quickly insert the peripheral control policy rule in the appropriate location in your policy rulebase hierarchy.

   click Next to continue.
9. Review the policy rule Summary to verify its configured correctly and Save.
10. Push your Endpoint Policy rule.

    1. Select Push Policies and Push Policies.
    2. (Optional) Enter a Description for the Endpoint DLP policy push.
    3. Review the Push Policies scope to understand which Endpoint DLP policy rules and peripheral group configuration changes are included in the push.
    4. Push.
11. Review your Endpoint DLP Audit and Push Logs.
12. Review your Enterprise DLP Incidents.

    A DLP incident is generated when a user moves a file from the endpoint to the peripheral device but sensitive data is detected and the file move is blocked because sensitive data was detected.