Help Center
News
Help Center
News
Popular
Architecture and High-level Information
Scans
How to Use Scans
How to Use Scan Playbooks
What is a Scan Playbook?Working with Scan Playbooks - OverviewHow to Add a New Scan PlaybookHow to View the Playbooks that Act Upon Your Sensitive Data LocationsHow to Create a Scan Playbook that Searches for a Single Data TypeHow to Change a Scan Playbook How to Search for a Scan PlaybookHow to Export a PlaybookHow to Clone a Scan PlaybookHow to Delete a Scan PlaybookHow to Use Logic StatementsHow to Manage Classifications for a PlaybookHow to Manage the Quarantine Path for a Scan PlaybookHow to Bulk Export Scan PlaybooksHow to Add a Script to a PlaybookScan Playbook ExamplesHow to Set Up Purview Labels in a Playbook and ScanHow to Manage Data Types for a Specific Scan PlaybookHow to Manage Classifications for an Individual Scan PlaybookHow to Quarantine SharePoint Site FilesHow to Add a Custom Classification to a Playbook
How to Use Scan Results
Agents
How to Use Dashboards
How to Use Data Asset Inventory
How to Install\Uninstall and Set Up Spirion Sensitive Data Platform
How to Use Logs
How to Manage Users and Roles
Settings and Resources
Additional Resources
Reports
Reporting API
Customer Support Articles

How to Add a New Scan Playbook

Once you have identified the sources you wish to scan for sensitive data, added and configured them to Spirion Sensitive Data Platform you next create decision trees (Playbooks) that Spirion Sensitive Data Platform uses to act upon the sensitive data it finds.

Overview

Recall that once you have identified the sources you wish to scan for sensitive data, added and configured them to Spirion Sensitive Data Platform, you next create decision trees ("Playbooks" or "Scan Playbooks") that instructs Spirion Sensitive Data Platform what actions to take, if any, when sensitive data is discovered, such as quarantine, redact, shred, notify users, etc.

  • Playbooks define the plan and actions that you can take on the results of your sensitive data scans

See the available playbook remediation actions in the "Playbook Actions" graphic below:

  • Quarantine - Move files from one location to another location
  • Redact - Replace numerical and alpha characters in data with generic characters such as 'X' or '#'

    Unredacted vs. Redacted Text Example
  • Shred - Permanently deletes file. Data sanitation techniques include: NIST Single Pass, DOD 3 Pass, and The Gutmann algorithm
  • Restrict Access - Restrict access to all but select groups (Administrators, file owner, etc.)
  • Encryption/Pseudo-anonymization - Provided by third-party integration partners
  • Execute Script - Batch or PowerShell script. This enables you to leverage third-party CLI capabilities

Playbook Actions

How to Add a New Scan Playbook

To add a new Scan Playbook use the following steps:

  1. From the left side navigation menu, click Scans.

  2. Select Scan Playbooks.

  3. The "Scan Playbooks" page opens.

Use the following instructions to create a new Scan Playbook:

  1. In the top right of the screen, click the + Add Playbook button.

  2. The New Playbook pop-up window opens.
    1. Enter the name and description of the playbook.

    2. Click the Continue button to create the playbook or the Cancel button to discard your changes.
  4. Playbooks are similar to Busines Process Modeling (BPMN) diagrams - they are a process flow with a start point and end points.
    1. When the process starts, a question, in the form of a "decision point" is asked.
    2. As a result of the answer to the question (yes or no), additional actions are taken (quarantine/redact/shred sensitive data, notify a user of the sensitive data discovered, etc.)
    3. Actions can be automated
    4. A single sensitive data scan often contains multiple playbooks
    5. Playbooks can be very simple, containing only one decision point and two paths ('No' and 'Yes'). See the screenshot below.

    6. For examples of playbooks, see Scan Playbook Examples.
  6. Architect your playbook using the sections below.

How to Create a Decision Point

Decision points are used in playbooks to set the logic for what actions to take (classify, quarantine, shred, redact, etc.) when sensitive data is or is not discovered during a sensitive data scan.

Use the following steps to configure a Decision Point:

  1. Decision Point: Click the Decision Point icon to open the Decision Point pop-up window.

  2. Step Logic: In the Name box, type the name of the step logic.
    1. For example: MyStepLogic.

  4. Logic: Set your logic.
    • Left criteria drop-down list: Select an option. For example: Access Data.

    • Center criteria drop-down list: Select an option. (The options available are determined by the initial criteria choice.) For example: On.

    • All Day toggle: Set toggle to On for all day. Set toggle to Off to set a specific Date/Time.
      NoteAll Day toggle is only available for options that include date and time.
    • Right criteria drop-down list: Fill in as applicable. For example: 03/01/2021.

    • To add a new group containing a filter value plus one additional value, click the plus icon.

  6. Select options from the left and center criteria drop-down lists as above.

  7. In the right criteria box, the available options are dependent on your previous choices.
    1. For example: Click the more options menu (...).

  9. In the Select Items pop-up window, do the following:
    1. Type an item to search in the Search box.
    2. Click the right arrow to select an item to add.
    3. Click the left arrow to remove an item from the list.
    4. Click the OK button to add the criteria or the Cancel button to discard.

  11. In the Decision Weight section, use the numeric up-down control to select a weight for the logic statement.

  12. Click the Save button to save the logic statement or Cancel button to discard.

    Note: Adding multiple filter criteria can affect the scan performance.

    Note: Not all repositories allow all logic scenarios to be performed so some logic statements will not function.
    • For example, many cloud repositories do not track Access Dates.

How to Set an Action from a Decision Point - Select Action

Use the following steps to set the Action to take as a result of a Yes or No answer to your step logic criteria:

  1. Select options from the Select Action drop-down lists:

    • Step Logic No: Applies the action when a data match is not found.
    • Step Logic Yes: Applies the action when a data match is found.
    • Select Action: Select one option from the drop-down list:
      • Classification
      • User Action
      • Assign
      • Notify
      • MIP Label
      • Remediation
        • Restrict Access: Restrict access to specific users.
        • Quarantine: Quarantine paths are managed by the administrators in the Remediation section of the Scans Settings page.
        • Shred: Permanently deletes a file. No further action can be taken.
        • Redact: Redacts the results when the Spirion application is closed.
        • Execute Script: Execute a script if there are results matching this rule.
        • Take No Action: Take no action on the results.
        • Ignore: Ignore all future instances of a result. Note that if you Ignore a via a Playbook, the Spirion agent reports the data, and then services adds an internal global ignore list so the data is not found again. With appropriate searching or filtering, ignored data is still visible in scan results and reporting. Sensitive data matches added to custom Global Ignore Lists that users create, results in Spirion agents ignoring that data and the data not being sent to the SDP console. The data is therefore not visible in scan results, reporting, or dashboards. See Manage Data Retention Settings

How to Classifiy Sensitive Data Discovered by a Scan Playbook

Use the following steps to classify sensitive data discovered by a Scan Playbook:

  1. Open your Scan Playbook.
  2. From the 'Yes' path from your Decision Point, set the following:
    1. Select Classification from the Select Action drop-down list.
    2. Action Options: Select one of the following from the drop-down list:
      1. Perform Action on File and Databases
      2. Perform Action on Databases Only
    4. Classification Type: Select one from the drop-down list:
      1. New Classification: Adds a new classification to the search results.
      2. Remove Classification: Removes a classification from the search results.
      3. Replace Classification: Replaces a classification in the search results.
    6. Select Classification: Select an option from the drop-down list.
      1. See Manage Classification to manage classifications.
    8. Automate Action: Select to apply the action automatically.

How to Select a User Action

Use the following instructions to select a User Action:

  1. Select User Action from the Select Action drop-down list.
  2. In the Provide Instructions box, type the specific user action needed.

How to Assign a User or Role

Use the following step to assign a user or role:

  1. Select Assign from the Select Action drop-down list.
    1. Select User or Role: Select an option from the drop-down list.
    2. Automated Action: Select to apply the action automatically.

How to Notify Assignees of Scan Playbook Results

Use the following steps to notify assignees of Scan Playbook results:

  1. Select Notify from the Select Action drop-down list.
    1. Custom Notification Template: Select an option from the drop-down list.
    2. Enter Email Address(es): Type the email address to notify. Click Enter on your keyboard to add multiple email addresses.
    3. Automated Action: Select to apply the action automatically.

How to Use MIP Labels

To use Microsoft Information Protection (MIP) labels to apply to the results:

  1. Select MIP Label from the Select Action drop-down list.
    1. Select Microsoft Label: Select an option from the drop-down list.
    2. Label Application: Select an option from the drop-down list.
    3. Automated Action: Select to apply the action automatically.
      Note: This option is requires purchase of a MIP license.

How to Use Remediation Actions

Procedure:

  1. Select an option from the Remediation section of the Select Action drop-down list:

  • Restrict Access: Restrict access to specific users.
  • Do Not Restrict Access: Select an option from the drop-down list.
  • Automated Action: Select to apply the action automatically.

  • Quarantine: Quarantine paths are managed by the administrators in the Remediation section of the Scans Settings page.
  • Automated Action: Select to apply the action automatically.

  • ShredPermanently deletes a file. No further action can be taken.
  • Automated Action: Select to apply the action automatically.

  • Redact: Redacts the results when the Spirion application is closed.
    • An example of a file with sensitive information redacted (using the 'X' character) is shown below.
    • Redaction settings are managed by the Admin in Platform Settings.

      Redaction File Example
  • Automated Action: Select to apply the action automatically.

  • Execute Script: Execute a script if there are results matching this rule.
    • Select an option from the Select Script drop-down list.
  • Automated Action: Select to apply the action automatically.

  • Take No Action: Take no action on the results.
  • Automated Action: Select to apply the action automatically.

  • Ignore: Ignore all future instances of a result. Note that if you Ignore a via a Playbook, the Spirion agent reports the data, and then services adds an internal global ignore list so the data is not found again. With appropriate searching or filtering, ignored data is still visible in scan results and reporting. Sensitive data matches added to custom Global Ignore Lists that users create, results in Spirion agents ignoring that data and the data not being sent to the SDP console. The data is therefore not visible in scan results, reporting, or dashboards. See Manage Data Retention Settings
  • Automated Action: Select to apply the action automatically.

How to Complete a Select Action

To complete a select action section:

  1. In an existing action, click the plus icon below the action box.

  2. Select Completed.

  3. The action is marked Complete.

  4. To reopen the action, click the X to the right of Complete.

How to Add Additional Select Actions

In an existing action, you can add further decision flow below or action to the side:

How to Add a New Decision

Use the following steps to add a new decision:

  1. Click the plus icon at the bottom of the current action.

  2. Click Decision.

  3. Write the new step logic as defined in the Decision Point section.
  4. Select an action from the Select Action drop-down list. See Select Action for more details.

How to Add a New Adjacent Action

Use the following steps to add a new adjacent action:

  1. Click the plus icon to the side of the current action.

  2. Select an action from the "Select Action" drop-down list.


  3. To delete the new adjacent action, click the trash icon next to the drop-down menu.

Note: To use a Playbook, you must mark all actions complete.

How to Manage Scripts

The Script Repository screen displays a searchable list of existing scripts.


Was this article helpful?

Powered by Product Fruits