Policy Management
You can define policies within the platform to control user actions and manage data security. These policies evaluate user activity in real time and are enforced at the data destination. You can define policies based on conditions such as location, user, event, and content.
Policies reference datasets to identify the type of data to protect and then determine the action to take, such as monitor, warn, or block user actions. When a policy is enforced, an incident is generated. Policies can target specific conditions, including the type of data, user groups, applications, and destinations.
The platform allows you to define two types of policies: Data Protection Policies and Content Inspection Policies. This separation enables you to configure granular policies and define how data is handled and how user actions are managed. All policies are configured and managed through the Object Management pages.
Data Protection Policies
Data Protection Policies are the existing type of policies used to monitor, warn, or block user actions based on defined conditions.
These policies:
- Are considered during backend matching and incident creation.
- Appear in the Risks Overview page.
- Do not control whether content is inspected or captured.
You can configure the following options for Data Protection Policies:
- Severity
- Response (Monitor, Warn, Block)
- Incident creation (Always create, Let Linea AI decide, Never create)
- Email notifications
- Screenshot capture
Content Inspection Policies
Content Inspection Policies are a new type of policy introduced in version 25.05 for data in motion events. Unlike Data Protection Policies, they do not generate warn or block actions on matching events. Instead, these policies determine whether to perform content inspection or capture content.
These policies:
- Define conditions to trigger content inspection, content capture, or both. These actions are performed in addition to the default inspection and capture triggered by user actions.
- Work independently of Data Protection Policies.
- Are not considered during backend matching and incident creation.
- Are not displayed on the Risks Overview page.
- Are not retroactively applied to past events.
If an event matches only a Content Inspection Policy (and no Protection Policy), it is marked as "Unmatched" in the system.
Content Inspection Policies are ideal for expanding visibility into sensitive content flows without affecting user experience or generating alerts.
You can configure the following actions for Content Inspection Policies:
- Content Inspection
- Content Capture
Content Inspection policies must be explicitly enabled per deployment group to be applied.
Default Content Inspection and Capture Behavior
The platform includes a default policy that automatically triggers content inspection and capture for specific user actions involving data in motion. This default behavior provides a baseline level of visibility and security for standard data activities.
- This default policy is always enabled and cannot be modified or disabled.
- For a detailed list of user actions that trigger this default behavior, see [Coverage for Tags Inspection, Content Inspection, and Content Capture](/Knowledge Base/Platform/Content Inspection/coverage-tags-content-inspection).
Enhancing Default Behavior with Content Inspection Policies
Content Inspection Policies enable you to enhance and customize the platform's built-in content inspection and capture behavior. These policies allow for granular control and targeted application beyond the default coverage.
- Targeting specific content for inspection: While the default policy covers common content movement actions, Content Inspection Policies enable inspection under additional, specific conditions not triggered by default.
- Use case 1: Inspect data containing sensitive information (PCI, PII, HIPAA) irrespective of user or destination to maintain compliance.
- Use case 2: Inspect proprietary documents or source code transfers, even if these actions do not trigger warnings or blocks through Data Protection Policies.
- Selective content capture: Content Inspection Policies allow you to decouple inspection from capture, providing greater flexibility, as previously all content sent for inspection was also captured.
- Use case 1: Reduce storage costs by capturing only the content that is deemed sensitive or relevant to an investigation. For example, you might inspect all outgoing emails for sensitive data but only capture the content of emails that contain highly confidential information.
- Use case 2: Improve incident response by focusing on capturing content related to specific high-risk activities or users. For example, capturing all content moved by users in a "high-risk" group, or any content that matches a "critical company secrets" dataset.
- Expanding visibility without alerts: Content Inspection Policies are ideal for gaining visibility into sensitive content flows without impacting user experience or generating alerts.
- Use case: You can configure a policy to inspect all content related to a new project or sensitive internal initiative. This allows you to understand how that data is being used and moved without immediately blocking user actions.
- Proactive detection of potential exfiltration: Content Inspection Policies can be set to scan content in advance of events that might indicate data exfiltration. This capability, when combined with Data Protection Policies, allows for real-time blocking informed by the content inspection results.
Policy Exclusions
Policy exclusions are used to create exceptions to your policy's inclusion criteria. By adding a saved query as an exclusion, you can prevent a policy from matching events that meet your exclusion criteria.
- An event is considered a policy match only if it meets all inclusion criteria defined on the Match tab and does not match any of the exclusion rules defined on the Exclude tab.
- To add an exclusion, navigate to the Exclude tab within your policy and select a saved query from the list.
- Exclusions are created and managed separately on the Saved Queries tab under Object Management. This allows for reusable exclusion criteria across multiple policies.
:::info Notes
- This feature requires a minimum endpoint sensor version 25.09.01 or later.
- Policies with saved query exclusions cannot be saved if any sensors in the environment are running older versions.
- The console automatically validates sensor versions when attempting to save policies that include saved query exclusions. :::