: Automatic Incident Remediation Options
Focus
Focus

Automatic Incident Remediation Options

Table of Contents

Automatic Incident Remediation Options

Learn about the automatic remediation options available when an incident is discovered by Data Security.
Now that you’ve determined that automatic remediation is the best approach for your organization, use this powerful tool to address security incidents that Data Security discovers. When you add a new data asset policy, select the remediation or action required to automatically address the incident. These capabilities depend on autoremediation support for your cloud app.
Setting Type
Action
Description
Autoremediate
None
No action
If an incident poses an immediate threat to your intellectual property or proprietary data, you can automatically move the compromised asset to a quarantine folder.
You can choose one:
  • User Quarantine—Send the asset to a quarantine folder in the owner’s root directory for the associated cloud app.
  • Admin Quarantine—Send the asset to a special Admin quarantine folder which only Admin users can access.
When an asset is automatically quarantined, you can send the asset owner a Remediation Email Digest that describes the changes that were made (Actions Taken).
If an incident includes a link that allows the asset to be publicly accessed (public link or direct link), you can automatically remove the links that allow the asset to be publicly accessed. You can remove the direct link on the asset only, or you can also remove links that expose the asset due to inheritance from parent folders.
Additionally, you can remove external collaborators from any asset or parent folders.
When an administrator automatically changes sharing on an asset, you can send the asset owner a Remediation Email Digest that describes the changes that were made (Actions Taken).
Notify File Owner
Instead of automatically fixing the incident, send file owners a Remediation Email Digest that describes actions that they can take to remediate the policy violation (Recommended Actions).
Apply Classification
Applicable only for Box app.
Notify via Bot
Instead of using the administrator account, use a machine account to send the file or message owner a message that describes the actions they can take to remediate the policy violation (Recommended Actions).
Basic Actions
Send admin alert and log as an incident
If there are compliance issues that need immediate action, such as policy rules that are high-risk or sensitive, you can send one or more administrators an alert. Data Security sends up to five emails per hour on matches against each Cloud app instance and logs this as an incident. You can also choose to send an alert to the end-user.
Log as an incident only
For most policy rules, verify that the Actions setting is Create Incident. This option allows you to identify potential risk for new cloud apps that you added. Then, after you uncover specific incidents that are determined to be high-compliance risks on your network, you can modify the rule or add a new rule that triggers one of the autoremediate actions to automatically remediate the policy violation. You can also choose to send an alert to the end-user with a custom policy violation message.