Video Screencast Help

DLP Response rules

Created: 18 Jan 2011 | 5 comments

We have SMTP response rules set up, but do NOT want to receive email notifications on incoming emails that contain flagged content. We are only concerned about outbound violations of policies. There are ways to filter incidents by IP address when looking at the Incident view. I don't see anything similar in the Response Rules, only the Protocol or Endpoint Destination condition, only by SMTP.

Is there a way to get an email notification ONLY on outbound incidents or base it off of IP address?

Discussion Filed Under:

Comments 5 CommentsJump to latest comment

Naor Penso's picture

There are ways to filter out the ip's you do not wish to enforce policy upon,

But I think that you shouldn't filter out the mails within the DLP since it would still create work processing the mails (just to discover that they should be dropped).

I suggest you check the rule on the MTA (mail relay) and change it to forward only outbound SMTP traffic to the network prevent - mail server. That way the DLP server would only scan outbound mails and be faster.

If you need assistance with the MTA, let me know which MTA you are using and i will try and find the correct guide for that MTA.

Kind Regards,

Naor Penso

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.
Thanks :)

JamieMurdock's picture

Thank you for the recommendation, however we are in a monitor only mode and dont have network prevent enabled (we're not in-line, but on a spanned port). My main question is if there is any way to filter only outbound incidents in the response rules. I have a filter on incidents based on source IP and didn't know if there was anything similar for the Response Rules.


Bryan Brannnigan's picture

When we were in monitor only mode, we only created incidents for outbound emails by defining a list of domains that we send email as.  We have restrictions in our MTA that only let a known list of domains out, therefore we didn't have to worry about someone sneaking by the monitoring. 

Naor Penso's picture

First of all, I have not fully understood, I thought that you have Network prevent for mail (for general knowledge, the component does not block anything unless told to, furthermore, it could be used as a monitoring device as well.

Secondly, If you are using Network Monitor, than the configuration of the SPAN port delivers inbound and outbound traffic, and you can configure the mirroring for outbound traffic only.

About your question,
The methodology used in the building of policies is this:

Information->Policy-> if positive than an incident is triggered-> the action you wish to take on that incident (AKA response)

                                   if Negative than incident is not triggered -> nothing happens.

You can design 2 responses, one for inbound traffic and one for outbound, but you will assign them to different policies. Remember that the incident is triggered by the policy, thus if you wish to ignore inbound traffic you would do so in the policy and not the response.

Kind Regards,

Naor Penso

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.
Thanks :)

Keith Reynolds - ExchangeTek's picture

Lot's of ways to skin this cat, but I'd start with questioning why you're monitoring inbound email at all with DLP.  You probably already know that there are IP and L7 filters on the SMTP Protocol for your Network Monitor which could effectively eliminate inbound email from inspection altogether.

If you're going to monitor that traffic, then I'd suggest you do what you want through Severity assignment, and keep one policy.  Clearly, since the volume of inbound email is probably overwhelming from an incident perspective, you should be setting these to a severity of "Info", as I can't imagine anyone is reviewing these incidents actively.  If that's the case, and using an SSN rule as an example, the policy could look like this:

Policy Name: SSN via SMTP

Rule 1: Inbound SSN

  Severity: Info

  Rule: Data Identifier for SSN -AND-

           Protocol = SMTP

Rule 2: Outbound SSN

  Severity: High

  Rule: Data Identifier for SSN - AND -

            Protocol = SMTP -AND -

            Sender/User Matches Pattern: *

Then, your email response can be set to send under the condition that the incident severity is "High".  Info level SSN incidents over SMTP (which is now essentially anything that isn't coming from your domain) won't get a response. 

The key here is that the highest severity for all rules matched will be assigned to the incident.  While an "outbound" email will match both rules 1 & 2, it will get the highest severity, which is based on the match against rule 2.  While an "inbound" email (one not from your domain) will only match rule 1, hence get an "Info" severity, which won't get a response (based on your response rule configuration).

I think this is cleaner than having two policies, since you're still going to need another SSN policy in this case to look at the other protocols.


p.s. If you do this, do yourself a favor and set up a custom attribute which you assign a value of either "inbound" or "outbound" to through an auto-response rule based on severity.  You'll be able to report on this activity a little better through summarization, and it's more obvious to an end user.