Video Screencast Help

Monitoring of Exception in DLP

Created: 18 Dec 2011 • Updated: 19 Dec 2011 | 5 comments
This issue has been solved. See solution.

I have a policy with blocking response that acts on some detection rule and group rules.But as per business requirement our client wants to block sending mail on some particular detection rule for a group of AD users(say g1,g2,g3), but wants for another group(say g4) to not to block but just monitoring.That means they want reporting of incidents for g4.

Now the problem is that if I add the other group g4 in exceptions then it will also not create incident.Please suggest some solution or alternate way to do this.

Comments 5 CommentsJump to latest comment

stephane.fichet's picture

hello

 I think the only way is to create two different policies :

1 with response rules which block action for g1, g2, and g3

1 with response rules which not block action for g4 (so you will have monitoring for this group)

 

And if one day symantec allow to use logical OR in policy definition (and in profile definition will be helpful too)  you will be able to merge these two policies into one. I had the same issue and didnt find any other way to do it.

Denis Kattithara's picture

The same will be possible with the below well:

Rule 1 -  g1, g2 & g3 and severity = High

Rule 2 - g4 and severity = Low

Response Rule - Block Incidents with condition where severity = High

Denis John Kattithara

Partner Assist Services

Symantec Corporation 

SOLUTION
YusufKhan's picture

Thanks to both of you.

Stephane - I was also thinking for the way suggested by you.Although it requires replication of policies but creating them in two diffrent groups will work clearly.

 

Denis - It seems quiet well with your solutions.But I dont know what would happen if detection rule(d1) is set to high severity and some group rules with different severity, like  with group rule g1,g2 as medium, g3 as high and g4 as low.Please clarify.

 

Warm regards,

Yusuf

Denis Kattithara's picture

The block response rule will only apply to the severity condition specified in the response rule. For eg in this case:

Response rule (r1) = Block incidents where severity = High

will only apply to

Detection rule (g3) = Set Incident severity High\

 

g1,g2 (Medium) and g4 (Low) will perform Monitoring only, unless an appropriate Response rule has been configured.

Denis John Kattithara

Partner Assist Services

Symantec Corporation 

YusufKhan's picture

Denis,

As I tested, I need to put detection rule as medium and I can put group rule's severity accordingly for monitoring and blocking.Then I can set response rule for high severity incidents for blocking.

Its working great now.

 

Thanks a lot guys.

Warm regards,

Yusuf Khan

-------------------------------------

Tech Specialist – Wipro Arabia

-------------------------------------- 

Warm regards,

Yusuf