Video Screencast Help

Only Fire Incident When Matching Multiple Rules in Policy?

Created: 04 Apr 2013 | 6 comments


I have a policy that contains a number of detection rules. This is working fine, but we would really like it to trigger an incident only if more than one of the rules is matched (for example, in a single email).

Is there a way to do this? My rules list inside the policy shows "or" in between each rule, and I can see no way to change this.

Ideally, we would set it to trigger an incident only if two or more of the six rules inside the policy are matched.

Thanks for any advice!

Operating Systems:

Comments 6 CommentsJump to latest comment

stephane.fichet's picture


 depends of the detection type used in your rules but you can try to use number of match to define a response rule which will set a specific status under a certain number of match and exclude this status to be seen by incidetn response team.

Jsneed's picture

You can use your rules to setup compound rules.  For example we have a rule that matches SSNs and certain keywords alongside a rule that matches other personal information with the a set of keywords.  This can be done using a data identifier, or by adding additional matching parameters from the "Also match" dropdown at the bottom of the policy.

Promaps's picture

Thanks, Guys - I'll give these suggestions a try today and come back with the results.

Promaps's picture

Thanks again for these suggestions. I've been going through this, but it looks like the only way I could do it would be by following Jsneed's suggestion to put the combination logic in separate rules.

For example, inside the policy I would need a separate rule for each combination of data I want to match (one rule to match passport number and drivers licence in one email, another rule to match passport number and SS number, etc, and so on). This seems quite arduous considering the amount of combinations you would need to detect significant PII leakage.

I looked into creating a special data identifier but I couldn't see where I could put the logic in for either/or matches.

Stephane - Sorry, I got a bit lost when looking into your suggestion. I wonder if you could elaborate? 

The main problem I have is that the individual rules are triggering hundreds of real matches (i.e. people sending passport numbers to travel brokers), and I have no remit to tell them not to. Therefore, I'm mainly interested in detecting major leakage such as combinations of PII to start with.'s picture

See if the individual rules are triggering many real matches then you will ave to further apply some more conditions to reduce the number of matches you get. Here you will have to keep trying n number of times by considering different conditions each time until you are satisfied with the result.

Florida insurance claims

kishorilal1986's picture

Please chcek your policy rule and detection parameter.