Trigger: DLP Policy Violation Alert from Leocybsec DLP Scanner
Input: DLP Alert Data (includes sensitivity label, violation type, affected file(s), user(s), action performed, access type, timestamp, etc.)
High:
Sensitive files (Confidential or Private) externally shared
Abnormal access during non-business hours from unusual geolocations
Link-based sharing of confidential data
Bulk downloads beyond 120% of average
Repeated violations from a single user
Medium:
Excessive file views (15+ within 30 min)
Single instance of Private/Internal data shared externally
Suspicious downloads near baseline threshold
Unusual user behavior without confirmed policy violation
Low:
Access of public/internal files during normal hours
Legitimate app/service triggering false positives
One-off viewing behavior aligned with business roles
✅ Actions Based on Severity
High:
🚨 Revoke access to files, notify IT and user manager, initiate forensic investigation, and temporarily disable the user account if compromise suspected.
🛡 Update file permissions and sharing settings.
🔁 Add violating user to enhanced DLP watchlist.
Medium:
⚠ Notify the user and manager.
🔎 Monitor behavior for the next 7 days.
🧠 Recommend focused security awareness training.
Low:
📩 Log the incident for review, no immediate action.
🤖 Validate whether it's a false positive via Cribl/Splunk logs.
Single File Violation:
📎 Validate file sensitivity and exposure path.
👤 Notify the file owner and advise secure sharing practices.
Multiple File Violations:
🗃 Block user access to affected directories.
🔁 Perform bulk permissions audit.
Cross-User Violation (Org-Wide):
🌐 Conduct pattern analysis for shared behavior.
🏛 Evaluate policy tuning and escalate to compliance/legal if needed.
Repeated Offenses (Same User):
🚨 Flag user for HR/security meeting.
📚 Enroll in mandatory DLP policy refresher.
🔐 If external sharing is detected:
Immediately revoke links and enforce stricter access controls.
🔄 If bulk download or excessive file views detected:
Set up behavior-based adaptive policies and thresholds.
👀 If off-hours or geolocation anomaly:
Review login logs, enforce conditional access or MFA.
📬 If sensitive access changes occur:
Block sharing type, notify owner, and audit all similar files.
🧠 If user appears unaware:
Assign contextual awareness training focused on cloud data hygiene.
Sensitivity | Examples |
Confidential | Credit Card, Passport, IBAN, SSN |
Private | Names, Emails, Phone Numbers, Medical Info |
Internal | IPs, Organization IDs, Transactions |
Public | Postal Codes, Vehicle Reg. No., Credit Card Brand |
Implement MLOps feedback loop to fine-tune false positive/negative detection.
Introduce DLP Policy Tuning Workflow in case of repeated false alerts.
Create a risk dashboard in Splunk summarizing top violators, policy breach types, and recurring issues.