Data Loss Prevention

 View Only

  • 1.  Exceptions with MATCH COUNT

    Posted Oct 30, 2013 11:00 AM

    I'd like to add an exception to a policy where a certain keyword exists AND the Match Count is 3 or less.

    It is easy to create an exception that meets a minimum match count, but how about an exception with a maximum match count?

    Thanks,

    Bob.



  • 2.  RE: Exceptions with MATCH COUNT

    Posted Oct 30, 2013 11:16 AM

    Couldn't you create the rule for 4+ instances?



  • 3.  RE: Exceptions with MATCH COUNT

    Posted Oct 30, 2013 11:39 AM

    I still want the rule to fire for 1,2,3 matches - but not if there is a specific key word in one of the matched components.



  • 4.  RE: Exceptions with MATCH COUNT
    Best Answer

    Posted Oct 30, 2013 01:49 PM

    I guess I could create 2 policies in the same group.  One policy has rule with a Match count with a minimum of 4 and NO keyword exceptions.  The second policy would have a rule with no minimum on the match count and DOES have the keyword exception.

    I don't like the idea of having to maintain 2 policies with almost identical rules...



  • 5.  RE: Exceptions with MATCH COUNT

    Posted Oct 30, 2013 02:02 PM

    Can you use the match count to set the severity and then use a response rule to delete the incidents you don't want?  So set the severity to Info and have a response rule for the policy that deletes all incidents with Info severity.  A bit cludgy but should work.

     



  • 6.  RE: Exceptions with MATCH COUNT

    Posted Oct 30, 2013 02:11 PM

    I've done something similar to "close" incidents I don't care about, but that doesn't take the Keyword exception into account.



  • 7.  RE: Exceptions with MATCH COUNT
    Best Answer

    Posted Oct 30, 2013 03:36 PM

    bob I've had to create two policies for the same rules - 1 for TLS recips and 1 for non-TLS recips to encrypt.  Wasn;t happy about it but it works and the business didn't mind.