Skip to main content

Inspection Policies

This article explains how to create, apply, and manage Cyberhaven inspection policies in Object Management.

Adding a New Policy

This is a new type of policy that can only be configured under Object Management > Inspection Policies.

  1. Click Add new policy, and click Create new policy.
  2. On the Create new policy page, enter a name and description for the new policy.
  3. Select specific datasets to which you want to apply the policy.
  4. Under Action, select Content inspection, Content capture, or both.
  5. Define the policy conditions on the Match tab and adjust them based on the metrics displayed in the Performance panel.
  6. On the Exclude tab, select and apply pre-configured saved queries to prevent the policy from matching specific events. These queries are created in the Saved Queries tab.
  7. Click Apply and then click Save changes to save the policy.
  8. Use the sort option in the Last Modified column to quickly find the policy you recently created.

Applying a Policy

When you create a new Inspection Policy, it is enabled by default. Enabled policies can be selectively applied to each deployment group.

To apply a Content Inspection Policy to data in motion events:

  1. Navigate to Endpoint Sensors > Deployment Group Settings.
  2. In the Content Inspection column, click the Edit button for a specific deployment group.
  3. In the Content Inspection pop-up window, select the custom Content Inspection Policies you want applied to data in motion.

Editing and Managing Policies

Editing a Policy

  1. Click the Actions menu of the policy and select Details. The current policy configuration is displayed on the policy page.
  2. Click Edit policy. As you modify the policy, the Performance panel dynamically updates to show you how your changes would affect event matching.
  3. Click the links for individual metrics (Events, Locations, Users, and Datasets) to review the changes.
  4. After reviewing your edits, click Save changes. The changes made to a policy will take effect immediately on new events.

Policy Actions

You can take the following actions on a policy:

  • Enable/Disable: Use the toggle to enable or disable policies. When a policy is disabled, it will not be triggered during a user action, and content inspection or capture will not occur.
  • Duplicate: Enter a name for the new policy in the dialog box and click on the Duplicate policy button to create a new policy using the settings of the selected policy.
  • Delete: The policy is permanently deleted from this page and will no longer apply to new events.

Critical Setup Note

  • By default, only the Cyberhaven Inspection Policy (the default policy) is enabled. Custom policies must be manually selected per deployment group.
  • You cannot disable the default content inspection policy.
  • The "Opened File" action is not supported in Inspection policies because file open events cannot be reliably linked to inspection and blocking.
Last updated on