Data Loss Prevention

 View Only

  • 1.  Doubt in Detection Rules for a DCM Policy

    Posted Jul 11, 2016 05:53 AM

    Hello All,

     

    I'm wondering if it's possible to tell DLP to do not look for more DCM rules inside the same policy if it finds a match in the first rule or compound rule. For instance there is a policy that looks for keyword QWERTY or XZY and if a document contains both keywords the incident would generate just the incident based on the first rule.

    The idea is to have more efficient policies and also to avoid more data extraction (better agent performance, etc...) 

    I've been doing some research on it lately but I haven't found anything relevant.

    Is it possible to do something like that? Do you think it could bring considerable gains?

     

    Best regards,

    Morgado



  • 2.  RE: Doubt in Detection Rules for a DCM Policy

    Posted Jul 12, 2016 04:33 PM

    If you confgure your rules with a 'or' separator you generate an incident on the first match.

    Rule 1 = QWERTY

    OR

    Rule 2 = XYZ

    First one hits, wins.

    It seems simple so maybe I missed the point?



  • 3.  RE: Doubt in Detection Rules for a DCM Policy

    Posted Jul 20, 2016 08:47 AM

    Thanks for your comment.

    Using your/mine example above, if a doc contains QWERTY and XYZ the incident will show a match on both keywords differentiating just the name of the detection rule. So my question, is it possible to tell DLP to as soon as finds a match, in this case QWERY, to stop the detection (ignore the other detection methods)? The idea as stated before is to decrease the recourses used by DLP agent (e.g. data extraction, etc.)



  • 4.  RE: Doubt in Detection Rules for a DCM Policy

    Posted Aug 04, 2016 07:09 AM

    up!