Apply On-Demand Policy

Apply On-Demand Policy is an Endpoint Rule. (See Endpoint Rules.)

Apply On-Demand Policy action allows you to change the monitoring policy for a user for a predefined duration.

For example, you are monitoring a group of suspicious users, and you want to know what other activities a user might perform after uploading a file to the Web to better understand the intent of the upload. You use the Apply On-Demand Policy action that triggers when a user uploads a file and captures the user's activities for the next 5 minutes.

On-Demand Policy is a type of Agent Policy used exclusively by Endpoint Rules. It allows you to select a specific policy to be temporarily applied to a monitored user for a duration that you define.

Before the Activity

Before the activity allows you to specify a value between 0 and 60 minutes, enabling retroactive application of policies.

When Endpoint Rules are configured to apply the On-Demand Policy for N minutes before a predefined activity, the agent will locally store the user's activity for the last N minutes. This data is retained in case it needs to be sent to the backend. The maximum storage size for this local data is configured in the Realm > Advanced Settings > Agent Storage > Max Storage Size for Dynamic Policy. Valid values range from 10 MB to 102,400 MB (100 GB), with a default of 1024 MB (1 GB).

After the Activity

After the activity: Allows you to define the duration of the policy in minutes after a predefined activity is detected (up to 24 hours -1440 minutes).

Selected Policy

Selected Policy is the On-Demand Agent policy that will be applied on the endpoint.

  • Assign Exiting Policy

    An existing policy must be an existing On-Demand policy. Polices that are not On-Demand policies are not available for this option.

  • New Policy

  • New Policy from Template

  • If you select New Policy From Template, the following 3 templates are available:

    • Ensure DLP Metadata is Captured

    • Ensure ITM Metadata is Captured

    • Capture ITM Metadata & Screenshots

    The table describes the 3 available templates with use case example:

    Template Description Use Case
    Ensure DLP Metadata is Captured

    Ensure that metadata is captured for Agent Policy with Signal Type Endpoint DLP

    Agent in standby mode will start recording metadata
    Ensure ITM Metadata is Captured Ensure that metadata is captured for Agent Policy with Signal Type ITM Agent in either standby mode or with policy from type Endpoint DLP will start recording metadata with policy from type ITM
    Capture ITM Metadata & Screenshots Ensure that both metadata and screenshots are captured for Agent Policy with Signal Type ITM Agent that captures metadata only, will start capture screenshots

    • Adding an On-Demand Policy

    In this example, the On-Demand Policy is triggered when the user copies to USB. The policy captures the activity for 5 minutes once it is triggered.

    Create a new Endpoint Rule

    1. From the Proofpoint Information and Cloud Security Platform, select the Administration app. Select Endpoints > Prevention/Endpoint Rules.

    2. From the Prevention/Endpoint Rules view, click New Rule.

    3. From Select Action to Perform, in the Endpoint Rules area, click Create Rule.

    4. Select Apply On-Demand Policy from Select Action/Purpose to Perform.

    5. New Rule area displays.

    Name the policy and Set the Conditions for Applying the On-Demand policy

    1. In the Name field provide the name you want.

    2. In Conditions and Actions area, set up your rule. In this example, you want to trigger the policy whenever anyone in the admin group copies to USB.

    Select the Duration of the Policy

    Select the duration - how long after the user activity - that the On-Demand Policy will be applied. (Maximum 1440 minutes, which is 24 hours.)

    1. In the Actions area, define the actions for the On-Demand Policyand in After the activity the activity field, define the duration of the policy in minutes. In the example, it is set to 5 minutes, so recording will continue for 5 minutes from the time the alert is triggered.

    Select the On-Demand Policy to be Applied

    1. In the Selected Policy area, select one of the following:

      • Assign Exiting Policy

        An existing policy must be an existing On-Demand policy. Polices that are not On-Demand policies are not available for this option.

      • New Policy

      • New Policy from Template

    2. If you select New Policy From Template, the following 3 templates are available:

      • Ensure DLP Metadata is Captured

      • Ensure ITM Metadata is Captured

      • Capture ITM Metadata & Screenshots

    3. Assign the rule to the relevant Realms.

    Related Topics:

    Prevention Rules

    Prevention/Endpoint Rules