Data Loss Prevention

Hi Everyone ,

i created policy with keyword macth but there is something wrong about the policy .

i have four keyword exp.

hack

hacker

hackers

lamer

i want to catch incident when two word macth above the words.  for example when somebody used hack and hacker it's must be incident ..  

but in my policy when someone send a email contain a word like "hack" it's a incident. 

how can i configure like i want ?

Thanks you. 

Hi dogan,

 you must set a threshold of 2 keyowrds in your policy.

in match conditions (under your keyword list) you have a line for that.

Count all matches and only report incidents with at least X matches, than you can set X to 2.

 but take care that it will also raise an incident if it found 2 times same keyword in the email.

you also have to take ware if you check "On whole words only" because if not "hack" also match "HACKers" and "HACKer").

 Regards.

You can create compoound rules with the 'AND' condition like:

Match keyword: 'hack' with at least 1 match

                              AND

Match keyword: 'hacker' with at least 1 match

This will triger an incident oly if both hack and hacker arre found.

Count all matches and only report incidents with at least X matches, than you can set X to 2.

it's not provide all of my want couse it's not distinguish the words .. as you said if it found 2 times a keyword it's a incident for it . but not me : )

thanks for reply ..

it's not provide my want couse i want found any 2 keyword at list ..

is it be true way if i use keyword proximity each other within 999 word distance .

You can create your policy to only count unique matches and then set your filters in the interface to only show incidents with 2 or more matches.  That is what we do, and we periodically purge the incidents with only 1 match.

oups, since 11.6, you can use a data identifier rule and require uniqueness for matching keywords (which can be keywords).