| Classify results as |
This is a drop-down list which contains each of the classifications which have been created. Select the classification which applies to the results matching this rule. When results have been assigned a classification, the classification displays in the Classification column of the Results Grid. If you do not want to assign a classification to a result, select "None (Assignment Only)." |
| Classification method |
This is a drop-down list which contains a classification available which applies to the results matching this rule. This option only displays if the Classify results as setting has been enabled.
- Merge the classification specified on the rule with the existing classifications - Selecting this option merges this classification with the existing classifications.
- Remove all classifications and then add the classification specified on the rule - Selecting this option removes all classifications and then adds this existing classification specified on the rule.
- Remove the classification specified on the rule - Selecting this option removes all classifications specified on the rule.
|
| Execute classification rules |
Select whether you want the rule to run directly on the endpoint itself or on the Console.
- Directly on the endpoint: Select this option to have the classification rule run on the endpoint. Results matching this rule are classified on the endpoint prior to being imported into the Console.
- When search results are imported into the Console: Select this option to automatically classify results matching this rule into the Console.
Note: If manual classification is applied on the results from the Results page in Console, use theSynchronize Classifications service task feature to synchronize classifications between database and files located on the agent.
|
| Perform the following MIP label action |
This option is only available if you are licensed for MIP.
Note: When applying a label with RMS encryption to certain files, the file extension is renamed to a .p<extension> following Microsoft’s naming convention specified in the Admin Guide: File types supported by the Azure Information Protection Agent.
|
| Execute script on the Console server |
Select the script to run. |
| Perform the following remediation action |
Optionally select a remediation action to perform on the results that match this rule.
- Quarantine - Selecting this option quarantines the results matching this rule when the Spirion application is closed. The Quarantine settings that are currently in place are used and may be configured in a system policy under Settings\Actions\Quarantine.
- Shred - Selecting this option shreds the results matching this rule when the Spirion application is closed. The Shred settings that are currently in place are used and may be configured in a system policy under Settings\Actions\Shred.
- Redact - Selecting this option scrubs the results matching this rule when the Spirion application is closed. The Redact settings that are currently in place are used and may be configured in a system policy under Settings\Actions\Scrub.
- Execute Script - Selecting this option executes a script if there are results that match this rule. The script is one that you create and it is not restricted to performing an action on the results. The script can be used to perform arbitrary actions (such as copying files or alerting some other system). The script is executed when the Spirion application is closed. Use the "..." button to select a script. The script can have any name with any extension but the contents should follow batch file syntax. On Windows Agents the file is executed by cmd.exe. On OS X and Linux systems the file is executed by /bin/bash. The uploaded script is distributed to a temporary location on each endpoint listed in the workflow rule and is removed when the Spirion application is closed. If you later change the script file on disk it won’t change the file that is part of the workflow rule - The script needs to be re-added to the workflow rule. If the uploaded script has a .ps1 or a .ps2 extension "PowerShell Script" is selected from the script type drop-down. For all other extensions "Batch File" is selected. You can manually change the script type from the drop-down but a script type is required in order to save the rule..
- Run as Local System Account (only applicable if the search is run as Local System): Specify that the script should run as system or root.
- Run as Locally Logged on user: Specify that the script should run with the credentials of the user that is logged in at the endpoint system. If no user is logged in at the time, then the script does not execute.
A script may contain variables. Variables are replaced with text when the script is executed. The format of a variable for endpoints running Windows OS is %VariableName% (e.g. %AnyFindTotalCount%). Variables are case sensitive and no spaces are allowed between the percent characters. If you enter a variable incorrectly it does not return a function. The format of a variable for endpoints running a Mac or Linux OS is $VariableName (e.g. $AnyFindTotalCount). If a variable results in an empty string (no values) when the script is executed, the variable is replaced in text with ' ' (a set of empty quotes). The following is the full list of variables in Windows format: - %AnyfindCount%: This expands to “<count> <identity type name>(s)”, e.g. “18 Password(s)”, "39 Social Security Number(s)” for the current location.
- %AnyFindTotalCount%: This expands to “<count> <data type name>(s)”, e.g. “10 Password(s)”, "34 Social Security Number(s)", etc.
- %DataTypes%: This returns a comma-separated list of all data types found for the current location. e.g. "Bank Account Number, Dictionary, Telephone Number."
- %EndPointName%: This returns the display name of the endpoint on which the result was found.
- %Location%: This return the full path or other location in which the match was found. This variable displays enough information to be able to get back to the source of the result from the machine on which it was found. For example, the file path is relative to the Agent that ran the search, an email location contains message folder names, time stamps, and subjects, a database location includes table and column information and a website location includes the full URL.
- %LocationType%: This returns the type(s) of location that was found, e.g. "Text Document, XLSX File."
- %Matches%: This returns a numerical value representing the number of matches for the current location. e.g. if there were 15 SSN and 25 CCN found in the current location, the value returned would be 40.
- %SearchUserName%: This returns the name of the user who performed the search on the endpoint, e.g. "Administrator".
- %TaskId%: This returns the task id under which the search was run. The %TaskId% uniquely identifies a specific task stored in the database. A TaskId can be viewed in a report using the Searches-Task Identifier column.
- %TotalDataTypes%: This returns a numerical value representing the total number of data types found in the search. e.g. if SSN's and CCN's were found during the search, the value returned would be 2.
- %TotalMatches%: This returns a numerical value representing the total number of matches found during the search. e.g. if there were 200 SSN and 125 CCN found during the search, the value returned would be 325.
- %TotalUniqueMatches%: This returns a numerical value representing the total number of unique matches found in the search.
- %Owner%: This returns the file system owner for locations that are files. For data from Windows Agents, the NTFS owner of the file. For data from Mac Agents, the file system owner of the file.
- %UniqueMatches%: This returns a numerical value representing the number of unique matches for the current location.
Note: The environment that the script is run under may not allow certain executables to run nor have valid path statements to common Windows commands. A batch file run manually may not run the same as from a Workflow script.
- Restrict Access - Optionally select whether you want to modify the permissions for the files which match this workflow rule. The options are as follows:
- File Owner (Windows Only)- Leaving this option unchecked clears the permissions for the file owner. Selecting this option retains the permissions that are currently set for the file owner.
- Administrators (Windows Only) - Leaving this option unchecked clears the permissions for the administrator. Selecting this option retains the permissions that are currently set for the administrator.
- System (Windows Only) - Leaving this option unchecked clears the permissions for the system. Selecting this option retains the permissions that are currently set for the system.
- User (Mac/Linux Only) - Leaving this option unchecked clears the permissions for the user. Selecting this option retains the permissions that are currently set for the user.
- Group (Mac/Linux Only) - Leaving this option unchecked clears the permissions for the group. Selecting this option retains the permissions that are currently set for the group.
Mac/Linux:When you click OK the endpoint changes the permissions on the selected files to -RWX (Read, Write, Execute) for those that are unchecked (User, Group) and retains the existing permissions for those that are checked. If you click OK with all check boxes cleared, the permissions for the target file(s) are blank. Windows: When you click OK, the endpoint removes the permissions (Modify, Read, Execute) on the selected files for those that are unchecked (File Owner, Administrators, System) and retains the existing permissions for those that are checked. If you click OK with all check boxes cleared, the permissions for the target file(s) are blank. Note: Updating permissions on remote machines only works between machines of the same OS type. i.e Windows modifying permissions to a remote Windows machine or Macs modifying permissions to a remote Mac does work. However, Windows modifying permissions to a remote Linux or Mac does not work.
|
