Data Loss Prevention

Hello,

Trying to slim down the noise and exclude any internal to (only) internal (if sent to more then one person and at least one is not within company incident should be flagged) emails.

I followed the steps in this article and it is working for Network incidents.

https://www-secure.symantec.com/connect/articles/create-dlp-policy-add-exception-ignore-emails-send-internal-users

But it is not working on the Endpoint side. We use lotus notes and from what I see, endpoint captured smail/smtp traffic is logging as

sender/user: company-countrycode/userid

recipient: username/countrycode/domain/companyname

I tried to add another exception to the policy in the same fashion as about but for

user/sender used -  companyname-*

and for

recipient used-  */companyname

this did not seem to do the trick.

Anyone solve a similar problem or can point me in the right direction?

Thank you.

sorry need to clarify my statement, I tried the information in the link, obviously did not work for network since that is only getting the traffic that is leaving/coming but it did not work on endpoint due to my specifications above

Hello,

Filtering sender/recipients with lotus notes on the endpoint is a little tricky.

The DLP system expects something looking like a mail address (without space, backslashes and other special caracters).

On the endpoint the adresses are still in a lotus format and do not looks like an internet email at all.

The trick is to substitute all special caracters with a ?.

This way, I was able to match most of Lotus senders/recipients formats.

Best regards,

Elric

Hi,

I think you are more worried about when someone sends email to inside organization and keeping cc/loop the other email ID of external domain then DLP should capture through you have excluded from monitoring the inside domains