Data Loss Prevention

Hi,

Can we create rule in DLP based on the count of recipients?

Say for example >> Trigger an incident if the number of recipient in more than 1.

Regards,

...rOjU...

There's no out-of-the-box rule for recipient count, but anything is possible I suppose.  You might try a regex for email address patterns, and apply that rule to inspection of the header only.  The count might not be entirely accurate (for instance, you would also be counting the sender's email address), but it could get you close for understanding when something went to 1 vs. say 25+ recipients.

For one of my client, i perform this to detect email send to only one sender (For them, it was a good criteria to separate business communication from data leakage). So we used regexp on the envellope, as usually recipient are listed between "To" header and "Subject" or "date" header. So it is not too complicated to write regexp to look for only one email address between these headers. And it works fine on DLP v11.1.2.

Stephane solutions is good. you might want to search for multiple occurence of "@" in the header. This way you have a counter. You then false/positive all incident with only one match (manual approach) or write an auto response to kill all incidents having only one match on the enforce.

Roju,

First off, I'd ask what you are trying to do with the rule. Is it simply to detect an email going to 1 vs 40 people? If so, what is the significance at that point if you don't know if the users are legitimate or not? Maybe sounds like you are trying to create an extra mechanism to detect mass emails, broadcasts, or potentially spam.

If you are simply looking for more than 1 recipient, the other option is to build a rule around this simply. If you create rule under the Groups tab in the policy, you can select 'Recipient Matches Pattern'. Under this section you can simply use: *@* - in the email address field. Further down under the condition you can check that at least 2 recipients must match. With this logic, you should be able to flag any email that contains more than 1 recipients. You can also change the number to a larger numebr if you are only looking for say 10 or more recipients, etc.

Good solution Shawn.  I didn't think about the recipient matches pattern, and just wildcarding that.  Much more elegant than a regex, and techincally speaking more efficient from a detection standpoint.

~Keith

Thanks Keith. I had to think it through for a minute before I realized how to frame it, but I knew we had some flexibility with wildcards.

To outline some further efficiency, you can also combine with an EXCEPTION rule, so that if perhaps internal recipients are being included, to ignore the incident. Again, not sure of the particular use case, but with a little more information, we might be able to help you further produce a great policy that is not only efficient but also as accurate as possible with regard to the use case.

Thanks Shawn. It is a good idea.

I will explain my requirement based on a scenario.

-----------------------------

A particular email with confidential data can go out to a set of people (say the count be - X.). X will vary in some cases. This communication will be sent as massmailer and not to be sent individually.

In no way it needs to be sent individually. But if the same data goes out to only one recipient from any sender, it needs to be flagged.

----------------------------

Thanks Shawn fo sharing.

yes you have said right, we can do in such way