Workflow Automation
Managing Workflow Mappings
A workflow mapping specifies the incidents that are associated with the workflow. Only admins with full access to Workflow Automation can map the workflows. Incidents are mapped to workflows, which are based on one or more of the attributes available in an incident transaction. These mappings can be simple or more complex to meet your requirements. Then, when an incident occurs in your organization that contains those attributes, the workflow automatically triggers and performs the actions that the workflow specifies.
The mapping statements are evaluated in the order in which you configure them. Workflow Automation uses the first statement that matches with an incident. If no statements match an incident, then a workflow is not automatically triggered for the incident.
On the Workflow Mapping page in the Workflow Automation Admin Portal, admins can:
- Add Workflow Mappings
Prerequisites
In the Workflow Automation Admin Portal, ensure that workflows have been added on the Workflows page. To learn more, see Managing Workflows.
Adding Workflow Mappings
To add a workflow mapping:
- Go to Workflows > Workflow Mappings. The Workflow Mappings page appears, listing all the workflows that have been mapped.
On the Workflow Mappings page, at the top left of the page, click Add Statement. A new expanded row appears after the last workflow mapping. The statement section appears within that row.
You can also access the Workflow Mappings page by clicking the Add Workflows Mapping icon from the Workflows page.
In the new row, from the Workflow Name drop-down menu, select the name of the workflow that you want to map.
- Configure a basic or advanced incident property mapping for the workflow, as required.
- Basic Workflow Mapping
To configure a basic workflow mapping:
- In the statement section, from the drop-down menu, select the Source DLP Type. Source DLP types are Any, Email, Endpoint, Inline, and SaaS Security. Any appears by default.
Add a predicate for the first condition:
Property: From the drop-down menu, select the property. All the attributes in an incident transaction are available as properties. The properties available for selection vary depending on the DLP type you select. A property can be a number, a string, a date, or a Boolean field (True or False).
If you choose user attributes for obfuscation, you cannot map a workflow to these obfuscated attributes (properties). In addition, if a user with permissions to workflow mappings has obfuscation enabled and a workflow was previously mapped using an obfuscation field, then the user cannot edit those existing workflow mappings. To learn more about obfuscation settings, see Managing Account Settings and Managing Admin Assignments.
- Property List
The following is a list of the workflow mapping properties:
Application Info
The Application Info properties are available only for Source DLP types of Email, Inline, and SaaS Security.
- Additional Info (only available for Source DLP types of Email and SaaS Security)
- Tenant (only available for Source DLP type Email)
- SaaS Tenant Name (only available for Source DLP type SaaS Security)
- Category
- Hostname Or Application
- Name
- Referrer URL (only available for Source DLP type Inline)
- Url
- Additional Info (only available for Source DLP types of Email and SaaS Security)
- Content Info
- Inline and Any Source DLP Types
- SaaS Security Source DLP Type
- Additional Info
- Attachment Name
- Bucket Name
- Bucket Owner
- Channel Name
- Code Repository
- Collaboration Scope
- Values
- File MD5
- Email Recipients
- Email Sender
- External Collaborators
- File ID
- File Owner
- Internal Collaborators
- Message ID
- Object ID
- Object Name
- Attachments
- File Category
- File Name
- File Size
- File Type
- File MD5
- Content Location
- File Category
- File Name
- File Size
- File Type
- Additional Info
- Endpoint Source DLP Type
- Additional Info
- Additional Info
- Channel
- Destination Type
- File MD5
- Expected Action
- File Destination Location
- File Size
- File Source Location
- Item Destination Name
- Item Source Name
- Item Type
- Source Type
- ZDP Mode
- Evidence Url
- File Name
- File Type
- Additional Info
- Email Source DLP Type
Endpoint Info
The Endpoint Info properties are available only for Source DLP type Endpoint.
- Activity Type
- Confirm Action
- Confirm Justification
- Integration Type
- Matching Policies
- Inline Source DLP Type
- Dictionaries
- Match Count
- Name
- Name Match Count
- Engines
- Name
- Rule
- Other Rules
- Other Rules
- Rule Name
- Total Other Rules
- Other Rules
- Rules
- Name
- Dictionaries
- SaaS Security Source DLP Type
- Endpoint Source DLP Type
- Dictionaries
- Assigned To Hit Rule
- Match Count
- Name
- Name Match Count
- Engines
- Assigned To Hit Rule
- Name
- Rule Expr
- Other Rules
- Other Rules
- Rule ID
- Rule Name
- Total Other Rules
- Other Rules
- Rules
- Name
- Dictionaries
- Email Source DLP Type
- Dictionaries
- Assigned To Hit Rule
- Match Count
- Name
- Name Match Count
- Engines
- Assigned To Hit Rule
- Name
- Rule
- Rules
- Action
- Files Info
- Content Location
- File Category
- File Name
- File Size
- File Type
- File MD5
- Name
- Other Matched Rules
- Recipient
- Severity
- Dictionaries
- Any Source DLP Type
- Inline Source DLP Type
- Severity (not available for Source DLP type Email)
- Source Actions
- Source ID
- Source SubType
- Source Type
- User Info
- Addresses
- Home
- Country
- PostCode
- Region
- Other
- Country
- PostCode
- Region
- Work
- Country
- PostCode
- Region
- Home
- Client IP (only available for Source DLP type Inline)
- Department
- Device Name (only available for Source DLP type Endpoint)
- Device OS (only available for Source DLP type Endpoint)
- Device Trust Level (only available for Source DLP type Endpoint)
- Division
- Employ Number
- First Name
- Groups
- Home Country (only available if you select CSV as the primary user data source on the Account Settings page)
- Job Title (only available if you select CSV as the primary user data source on the Account Settings page)
- Last Name
- Location (only available if you select CSV as the primary user data source on the Account Settings page)
- Manager
- Department
- Groups
- ID
- Name
- Organization
- Name
- Organization
- Organization Hierarchy (only available if you select CSV as the primary user data source on the Account Settings page)
- Phone Number (only available if you select CSV as the primary user data source on the Account Settings page)
- Project IDs (only available if you select CSV as the primary user data source on the Account Settings page)
Skip Level Managers
The Skip Level Managers properties are only available if you select CSV as your primary user data source on the Account Settings page.
- Department
- ID
- Name
- Status
- Termination Date (only available if you select CSV as the primary user data source on the Account Settings page)
- User ID
- User Role (only available if you select CSV as the primary user data source on the Account Settings page)
- Worker Type (only available if you select CSV as the primary user data source on the Account Settings page)
- Addresses
- Property List
- Operation: From the drop-down menu, select the operation. The operations vary depending on the property you choose.
- Operations Table
The following table lists the operations and their descriptions:
CloseOperation Description AFTER
It can be used for a Date type property field.
This operation tests whether the property selected for these types of incidents is after the value that you entered in the property value field (e.g., userInfo.Termination Date). BEFORE
It can be used for a Date type property field.
This operation tests whether the property selected for these types of incidents is before the value that you entered in the property value field (e.g., userInfo.Termination Date). CONTAINS_EXACT
It can be used for the following types of property fields:
- Array of strings
- Number
- Boolean
This operation tests whether the property selected for these types of incidents contains the exact value that you entered in the property value field. You must enter the full value for the property because no partial comparisons are performed. The property field value is not case sensitive. You can use this operation for properties that might include multiple values (e.g., matchingPolicies.rules[*].name, matchingPolicies.engines[*].name, and matchingPolicies.dictionaries[*].name).
For example, let's say you want to map incidents that have violated a specific Data Loss Prevention (DLP) rule (Block-HIPAA-SSN) to a workflow (Social Security Numbers). But, incidents are occurring in your organization that violate multiple DLP rules (Block-HIPAA-MIN, Block-PCI-CC, and Block-HIPAA-SSN) at the same time. Using the CONTAINS operation, you can ensure that those incidents with multiple rule violations that include the Block-HIPAA-SSN rule are mapped to the Social Security Numbers workflow. In the following example, an incident has violated the Block-HIPAA-MIN, Block-PCI-CC, and Block-HIPAA-SSN rules.
In the future, to ensure that this type of incident maps to the Social Security Numbers workflow, create the following workflow mapping predicate:
- Workflow Name = Social Security Numbers
- Property = matchingPolicies.rules[*].name
- Operation = CONTAINS_EXACT
- Property Value = Block-HIPAA-SSN (must contain the full name of the DLP rule)
NOT_CONTAINS_EXACT
It can be used for the following types of property fields:
- Array of strings
- Number
- Boolean
This operation tests whether the property selected for these types of incidents does not contain the exact value that you entered in the property value field. You must enter the full value for the property because no partial comparisons are performed. The property field value is not case sensitive. You can use this operation for properties that might include multiple values (e.g., matchingPolicies.rules[*].name, matchingPolicies.engines[*].name, and matchingPolicies.dictionaries[*].name). EQUALS
It can be used for the following types of property fields:
- String
- Number
- Date
This operation tests whether the property selected for these types of incidents equals the value that you entered in the property value field. The property field value is not case sensitive. NOT_EQUALS
It can be used for the following types of property fields:
- String
- Number
- Date
This operation tests whether the property selected for these types of incidents does not equal the value that you entered in the property value field. The property field value is not case sensitive. IN_IPv4_SUBNET
It can be used for an IP Address type property field.
This operation tests whether the property selected for these types of incidents is in the IPv4 subnet value that you entered in the property value field. You can use this operation for IP address properties. IN_IPv6_SUBNET
It can be used for an IP Address type property field.
This operation tests whether the property selected for these types of incidents is in the IPv6 subnet value that you entered in the property value field. You can use this operation for IP address properties. LIKE
It can be used for a String type property field.
This operation tests whether the property selected for these types of incidents is like the value that you entered in the property value field. This operation does a partial comparison of the substring. For example, if you select userInfo.name as the property and enter
Johnfor the property value, the LIKE operation matches the following user names:- John Brown
- David John Smith
- Susan John
- John
EXISTS
It can be used for all types of property fields.
This operation tests whether the property selected exists for these types of incidents. For this type of operation, you do not enter a property value. LESS_THAN
It can be used for a Number type property field.
This operation tests whether the property selected for these types of incidents is less than the value that you entered in the property value field. You can use this operation for numeric properties (e.g., userInfo.userId). GREATER_THAN
It can be used for a Number type property field.
This operation tests whether the property selected for these types of incidents is greater than the value that you entered in the property value field. You can use this operation for numeric properties (e.g., userInfo.userId).
- Operations Table
- Property value: Enter or select the value for the property. Some of the properties display values for your organization filtered by the source DLP type that you can select (e.g., Severity, Source Actions, and Matching Policies.Rules[*].name). For others, you must enter a value for the property.
- Select the function for the condition. If required, select NOT. You can only select OR or AND as the function when you add another predicate.
- (Optional) Add another predicate:
Click Add Predicate. Another predicate row appears under the first predicate row, and the AND function is automatically selected for the condition.
- In the new predicate row:
- Property: From the drop-down menu, select the property.
- Operation: From the drop-down menu, select the operation.
- Property value: Enter or select the property value for the property.
If required, select the function for the condition. Functions are NOT, OR, and AND.
- (Optional) Add another condition to the statement:
Above the predicates that have been defined, click the Add icon. Another condition box appears.
- Enter the predicates for the condition. Add a predicate for the first condition and optionally add another predicate.
- Click Save.
- Advanced Workflow Mapping
To configure an advanced workflow mapping:
- In the statement section, from the drop-down menu, select the Source DLP Type. Source DLP types are Any, Email, Endpoint, Inline, and SaaS Security. Any appears by default.
Click Advanced. The statement section reappears, displaying multiple nested conditions.
- Configure the predicates as required for each condition in the statement. To add another predicate to a condition, click Add Predicate. To add another condition to a level in the statement section, click the Add icon at that level. To learn how to add a predicate and a condition to a statement, see Basic Workflow Mapping.
- Click Save.
- Basic Workflow Mapping
- Edit Workflow Mappings
- Go to Workflows > Workflow Mappings. The Workflow Mappings page appears, listing all the workflows that have been mapped.
- (Optional) On the Workflow Mappings page, use the Search field to locate the workflow you want to edit the mappings for.
At the end of the row next to the workflow you want to edit, click the Expand icon. The row expands to display the mappings in the statement section for the workflow.
- In the statement section, edit any of the existing predicates and conditions for the statement. You can edit the properties, operations for the properties, and property values within the existing predicates and the function for the condition.
- (Optional) Add additional predicates or conditions to the statement. To learn more, see Adding Workflow Mappings.
- Click Save.
To delete a predicate or condition within a statement, click the Delete icon next to the predicate or condition.
Close - View Workflow Mappings
Go to Workflows > Workflow Mappings. The Workflow Mappings page appears, listing all the workflows that have been mapped.
On the Workflow Mappings page, at the end of the row next to a workflow, click the Expand icon. The row expands to display the mappings in the statement section for that workflow.
- Delete Workflow Mappings
- Go to Workflows > Workflow Mappings. The Workflow Mappings page appears, listing all the workflows that have been mapped.
On the Workflow Mappings page, click the Delete icon next to a workflow. A message appears asking whether you are sure that you want to delete this statement.
- Click OK.
- Arrange Workflow Mapping Rules
Rules equate to statements in Workflow Automation.
To arrange workflow mapping rules:
- Go to Workflows > Workflow Mappings. The Workflow Mappings page appears, listing all the workflows that have been mapped.
On the Workflow Mappings page, click the down arrow or up arrow next to a workflow to arrange the order in which the rules are processed. Workflow Automation stops processing an incident after it finds its first rule match for the incident.
- Click Save.
