Skip to main content

Protection Policies

This article guides you through creating, editing, and maintaining Cyberhaven protection policies on the Object Management > Protection Policies screen.

Adding a New Protection Policy: Procedural Flow

1. Initial Policy Setup and Response

  1. Click Add new policy and select a predefined template, or click Proceed without template.
  2. On the Creating new policy screen, enter the Name and Description for the policy.
  3. Under Applied to, choose to apply the policy to Dataset or Sensitivity.
  4. Optionally, use the Restrict to user risk group (optional) field to target a specific user risk group.
  5. Select a Severity rating from the dropdown menu.
  6. Select a Response action: Monitor, Warn, or Block.

2. Incidents, Notifications, and Secondary Actions

Configure how the system responds to the policy match in the Incidents and Actions sections.

Incident Creation and Notifications

  1. Incidents: Choose from Always create incidents, Let Linea AI decide whether to create incidents, or Never create incidents.
info

Note Incident creation is mandatory when or is selected.

  1. Toggle Send email notifications to notify administrators when the policy is violated. You will be prompted to enter a list of email recipients (one per line).

Secondary Actions

  1. Toggle Record screenshots to enable screenshot capture for this policy. This option is available when Warn or Block is selected.
  2. Under Actions, toggle Content capture.

3. Configuring Response Message and Policy Dampening

These settings customize the end-user experience and control how often warning messages are displayed.

Response Message Setup

  1. If you selected Warn or Block, click Setup response message to open the configuration dialog.
  2. Customize the message text in the preview box.
  3. Select desired Message preferences:
    • Show the dialog title.
    • Require the user to provide a justification.
    • Allow the user to request a policy review.
    • For Block policies only, allow the user to override blocking.
    • Redirect the user to a website after closing the popup.

Policy Dampening

  1. If you select the Warn response, toggle Only show the message once per time period to enable policy dampening. This allows you to configure a throttling duration (for example, 15 minutes, 1 hour, 1 day) to control how often a user sees the warning message.
info

Note Policy dampening is currently available for Windows endpoints.

4. Defining Conditions and Finalizing Setup

  1. Click Advanced settings to specify whether changes should Apply policy changes to past events in addition to new events.
  2. Define the policy matching conditions on the Match tab.
  3. On the Exclude tab, select and apply pre-configured saved queries to prevent the policy from matching specific events.
  4. Click Apply and then Save changes to finalize the policy.
  5. Use the sort option in the Last Modified column to quickly find the policy you recently created.

Editing and Managing Policies

The Protection Policies tab displays all the configured protection policies. On this tab, you can add, view, edit, duplicate, delete, and enable or disable policies.

Editing a Policy

  1. Click the Actions menu of the policy and select Details to view the current configuration.
  2. Click Edit policy. As you modify the policy, the Performance panel dynamically updates to show how your changes affect event matching, including which past events would match under the new conditions.
  3. Click the links for individual metrics (Events, Locations, Users, and Datasets) to review the changes.
  4. After reviewing your edits, click Save changes. Changes take effect immediately for new events.

Policy Actions

  • Enable/Disable: Use the toggle to enable or disable policies. When a policy is disabled, it is not enforced on new events, but previously matched events remain associated with it.
  • Duplicate: Enter a name for the new policy and click Duplicate policy to create a copy using the selected policy’s settings.
  • Delete: Permanently remove the policy so it no longer applies to new events.

Critical Knowledge for Policy Setup

macOS Blocking Behavior

Blocking policies on macOS now only apply to applications included in an approved list (Default List or Extended List) or explicitly approved apps. Any application not on an approved list will not be blocked by policy.

Saved Query Exclusions Requirement

The policy exclusion feature requires endpoint sensor version 25.09.01 or later. Policies with saved query exclusions cannot be saved if any sensors in the environment run older versions. The console automatically validates sensor versions when attempting to save policies that include saved query exclusions.

Policy Management Recommendations

Enable updates to past events judiciously for specific datasets or policies when you want to:

  • Correct the classification of the data historically, or
  • Retroactively investigate past activity with updated policies.
Last updated on