Data Loss Prevention

We have a need for multiple people to manage incidents from different groups and I can't figure out an easy way to do this. 

More specifically, we have two requests I'm working on now:

• incidents from upper management need to be investigated and remediated by someone at a higher level than me (all policies)
• incidents from a specific group need to be handled differently than the rest of the incidents from the same policy

There doesn't appear to be a straightforward way of distributing the incidents from each policy in the above manner.  My temporary solution is to create multiple policies with the same detection rules and exceptions and then create separate response rules to be used in those policies.  The response rule conditions don't allow me the flexibility I would like to have in these cases.  I would rather not have to create and then maintin multiple similar policies if it can be avoided.

Does anyone else have a solution that is working for them?  Or do I just have to accept that multiple policies will be scanning for the same data over and over in order to achieve what is being requested?

Good afternoon,

There are a couple of ways you could do this, but I think the easiest way to do this is to populate attributes from AD and then create two security roles.  Put an attribute in AD called "VIP" or some other way of flagging this group in AD. Then when an email incident, an endpoint incident or a discover incident with one of them as the owner came in this attribute would be populated

Then within the security role you could make a condition for yourself to see all incidents but those with that specific attribute then create a secondary role with access to either only incidents with that specific condirtion (attribute) or all incidents including that condition (attribute)

Make sense?

hi ron

 As jesse wrote in order to do this you will need to populate an attribute and then use it to seggregate incident access in role definition. There is several way to do it :

- If you could add an attribute in AD or CSV file you will be able to use a lookup plugin to populate it.

- Doing a custom plugin which will check if sender or userID is in a list you will maintain manually or automatically

- if you dont use incident severity for anything else, you could set a new rule in your policy to set severity to "High" when there is soemone from your VIP list and set severity of all other rule to "low". Then you will be able to create a response rule using severity as condition (E.G. if severity = High then populate attribute VIP with YES)

 but as it seems you have two issues (VIP and special group of users), you may need to mix both solutions above.

Regards.

I don't see a way to reference a custom attribute defined to AD as a means to selectively use a custom Response Rule.  And the custom plugin idea seems to enable a way to populate fields in an incident, but not to determine how to respond to specific incidents.

I thought about using Severity, as that *is* a possible condition in a Response Rule.  That may be my temporary solution, but I think this is going to lead me to requesting an enhancement to DLP.  We need more options for the Response Rule conditions.