You can manage your inline rules policies by changing the rule order or removing rules. Rules designed to detect the most serious threats should be above rules designed to detect less serious threats.
Proofpoint CASB evaluates rules from top to bottom.
NOTE: The Inline Rules editor was previously used for all CASB rules. Please refer to the Rule Editorhelp pages for defining rules that are not dedicated to inline protection.
-
For Detection and Remediation rules, evaluation stops once a rule with a remediation is matched. That is, Proofpoint CASB generates alerts for all matching rules until a matching rule has a remediation, executes the remediation for this rule, and does not generate alerts nor remediations for any matching Detection and Remediation rules that follow.
-
Most events are only relevant to one rule type, but file activity events can match more than one rule type. For example, the File upload event matches both the Data | Content Updates and Sharing rule type, and the Data | Content Updates rule type.
Suspicious Login events match only the Access | Suspicious Login rule type while Login events match only the Access | Login rule type.
-
For AAC policies, we recommend that you set up a default Allow rule as the last rule in the policy. The default rule should include all users, devices and contexts and should be set to Allow.
-
Access the Rule Editor, and click
for the desired rule.The rule manager opens.
-
Select one of:
-
Move up: Moves the rule up one row in the Rule Editor table
-
Move down: Moves the rule down one row in the Rule Editor table
-
Delete: Deletes the rule from the table
-
Discard: Only available for new rules prior to deployment. Discards defined rule attributes so that the new rule reverts to its default state.
-
