You can create data-in-motion policies to identify, control, and protect sensitive information as it moves across networks, between systems, or to devices.
Each rule defines an action, Allow, Block, or Report, from a specified source to a web destination. Rule conditions must include the channel destination, data profile, and type of data being accessed or moved. You can also configure responsive user dialogs for enforced events, which can be customized per rule.
To create a data-in-motion rule:
In → → → click Create New Rule.
On the General page:
Enter a unique name and description.
Choose the Action to implement when the rule criteria are met, such as blocking the transfer or notifying relevant parties.
Select the Action for Partial Classification to implement when partial classification occurs. Partial classification refers to a situation where the classification process is incomplete, such as due to a timeout or classification failure.
Select the Severity of the rule you are creating.
The Informational action enables logging an activity without interfering with the user’s workflow.
Enter a Raised Issue Name that will be used as the name for the issue created as a result of policy breaches.
Select to Disable/Enable Rule as required.
On the Context & Data page:
For Source, select the Custom Web Application Groups
The source is the origin of the data, whether it resides on a local drive (such as a PDF on a laptop) or within a web application (such as a file in OneDrive).
Without a defined source, this rule applies to every file by default. You can make the policy more targeted by selecting a specific source.
Note
Third-party application behaviour:
When a file upload is blocked, the local application may display its own generic error message in response to the DLP restriction. In similar cases, some third-party applications might still proceed by sending a dummy file or an error placeholder instead of the actual data.
For Destination, select the relevant Application Groups. Refer to Create endpoint application groups for more information.
Selecting Allow corporate accounts users to upload, lets corporate account users bypass the Block rule action and upload data from the web application.
USB Channel: Select File Write/Copy to USB to enforce the rule on the USB device.
For Data Scope , select the relevant Data Profile.
Note
To maximize data security, if you use Microsoft Purview for extensive manual and automated file classification tagging and are looking to integrate those labels directly with the DLP policies to trigger protective actions based on a file's sensitivity, refer to How to use information protection labels in Cortex Cloud Data Security.
On the Target page:
For Rule Target, select the endpoints to which this rule will apply.
Note
Distribution of the Endpoint DLP package is restricted to agents assigned to the data-in-motion policy. This ensures that only endpoints requiring DLP functionality are affected, rather than all eligible endpoints in the tenant.
On the User Interaction page, you can add the default pop-up message for each of the following events.
For End User Dialog, toggle ON/OFF to manage whether users see a message when the policy is violated.
In the Title, enter the default name for the dialog.
In the Body, enter the message to display in the dialog. You can choose to use the system's default text. This is also relevant for Reporting Mismatch and Rule Override.
If enabled, the Rule Override allows the user to override the block policy and temporarily retry the operation (to move the file again) to complete the action. The user's response is recorded as part of the Issue.
In the Admin Email Link, enter the default admin email that will be added to the body.
In the Dialog Main Button Label, enter the text to use for the button to close the window.
Click Next to create the rule.
From the Data-In-Motion Rules table, click Save or move the rule down to change the priority, and then click Save.
Rule priority
Cortex processes these rules sequentially from top to bottom. To ensure the correct outcome, place Allow rules above Block rules.
As soon as a first match is found for a data movement event, that rule's action is applied, and no other rules are evaluated for that specific event. Each matched event creates an Issue, and the total number of issues appears as Hits in the rules table.
Modify rule priority by dragging rules. If a conflict arises while setting a rule's priority, for example, if another user updates the policy simultaneously, Cortex saves the rule as a draft to prevent loss of your work.
Example: Creating a data-in-motion rule
An employee at Company X sends an attachment containing financial information to the personal email address of another employee. This action violates the company’s data handling policy.
To help prevent this, you can create a data-in-motion rule with the following configuration:
Field | Description | Example user input |
|---|---|---|
Rule Name | Provide a descriptive name for easy referencing. | Prevent Financial Data Transfer |
Action | Specifies how data movement is controlled. Possible actions are: Block, Allow, or Report. | Block |
Partial Classification | Select a fallback action if classification fails or exceeds a time threshold. | Block |
Severity | Choose the severity level that the Issue will trigger. Possible options are: Critical, High, Medium, Low, Informational. | High |
Raised Issue Name | The name appears on the Issues page when filtering for Endpoint DLP Issues. | Blocked Financial File Transfer |
Source | The web application group the data transfer originates from. You can create and manage these custom groups to suit your preferences. | drive.google |
Destination | Choose where the data is moving to. Possible options are: None, Any, Specific web application group. | Web Application Group |
Local Application Groups | Select apps through which users might transfer sensitive data. | Zoom, Slack, TeamViewer, and WhatsApp. |
Data Profile | Data Profiles are templates that define what kind of sensitive data to detect. Select data profile the rule applies to. For more information, see How to create and validate a custom data profile. | PHI, CCN (Credit Card Numbers), Financial, and PII. |