Skip to main content
McAfee MVISION Cloud

DLP Policy Response Actions

Response Actions define behaviors taken once a policy is triggered. By default, every policy creates an incident that appears in MVISION Cloud. If an event, message, or document triggers more than one policy, an incident is generated for each corresponding policy. But, the response to the document reflects the more restrictive policy. For more information, see DLP Policy Incident Statuses.

Response Actions can be conditionally executed depending on the Severity of the Rule Group that was triggered.

API Actions




Quarantines the file by placing it in the “Quarantine” folder in an administrator account and leaves a tombstone file. An email might be sent to the user if configured to do so. 


Deletes the file and leaves a tombstone file. An email might be sent to the user if configured to do so. 

Remove shared link

Prevents outside collaborators from accessing the shared link. The linked file or folder is not affected.

Send email notification to Sends an email to the specified user regarding the policy violation
Apply Classifications Applies a Classification to a file in Box or SharePoint. 
Block Email Blocks the email from being delivered to the recipient.  Leaves the email in the sender's Sent Messages folder.  An email might be sent to the user if configured to do so.  


Deletes the file that triggers the encrypt response and replaces it with an encrypted version. A file can only be decrypted through our cloud-hosted reverse proxy.

Apply DRM Applies DRM (Digital-Rights-Management) protection to files with sensitive content.

User Email Notification

Sends a predefined email to the user triggering the DLP rule with details regarding the policy violation.

Send Bot Notification Sends an in-app notification, from a bot registered by MVISION Cloud to the user triggering the DLP rule.
User Bot Notification Sends an in-app notification to the user interacting with the bot.

Modify permissions to

Modifies the permission of a share/collaboration event within the service to None, View Only, or Editor. This action only takes effect when there are User Action rules defined in the policy.

Add Email Header Adds an extra header to the email before sending it out in inline mode. The user creates a header by inputting a key-value pair (<key>, <value>). These headers are added to the email. If the key specified in the policy is already present in the header, the value specified in the policy is appended to the email header.


Proxy Actions



Send email notification to

Sends an email to a predefined address or distribution list that contains details regarding the anomalous action.

Block Transfer

Prevent the transmission of the file from within your network to Box


Encrypts the file inline via the Reverse Proxy.  This requires the Reverse Proxy to decrypt the file on download.



Response Action Precedence

The following table describes the precedence order of Response Actions. 

Response Action Precedence
Delete 1
Quarantine 2
Modify Permissions to None 3
Modify Permissions to View Only 4
Modify Permissions to Edit 5
Remove Shared Link 6
Encrypt 7
Email Notification 8
User email Notification 9
User Slack Notification 10
Send Slack Notification 11
Apply Classification 12
Incident Default
  • Was this article helpful?