Data Loss Prevention

I had added a new user group say “E1” (also in our AD) and added it in a policy group rule with medium severity so that the blocking response should not enforce on user belonging to E1 group. And hence I wanted to block all users except the user belonging to E1 and only monitoring incidents should be captured for E1. 

For this I transferred few users from existing groups to new group in AD. But now when it catches the incidents it still captures the users as they belong to older groups and sometimes shows in both groups i.e. the old group and E1. 

So in this way it is blocking those users also for which blocking is not required now. 

Can anyone please let me know where is the problem?

Your explanation of this is a little unclear and makes this more of an educated guess based on how I think you might have this set up.  It sounds like you're saying you have a block response set up on your policy for what you're defining as "high" severity incidents. Then you're saying you have a group rule for users in the E1 group that you're expecting will set the severity of the incident to "medium".

But here's what you're missing...the way detection works, it will set the severity of the incident to the HIGHEST severity of all the detection and group rules.  So that group rule says this should be medium severity, but the detection rule then overrides this and bumps the severity up to HIGH, hence the action is blocked.

What you probably need to do here is set up separate policies.

Policy 1 - Has block response rule on it for high severity incidents, and has a group exception for users in the E1 AD group.  Therefore an incident will never be detected by this policy for users in E1.

Policy 2 - Does not have a block response, has same detection rule as Policy 1, and has a group rule for users in the E1 group.  Hence it's not detecting any incidents for any users outside of group E1, and only really monitoring (and not blocking) that action for users in E1.

Or, in a single policy you could do it this way, but it's a little counter intuitive and makes the "severity" set on the incidents a little confusing:

Policy A

Rule 1: detection rule -AND- user belongs to group E1.  Default severity = high.

Rule 2: detection rule only.  Default severity = medium.

Response Rule: Block when severity = medium.

In this manner, when a non-E1 user performs whatever action that triggers the incident, it the severity can only go up to medium, and the response rule will block it.  When a user in the E1 group performs the same action, the severity will get set to high, and the response rule will not get invoked (because you've told it only to do this on medium severity incidents).

There's pros and cons to both methods, and you'd have to determine for yourself what you're comfortable with.

~Keith

I'm assuming that the user groups added are via a Directory Group?

In case of a Directory Group, any changes made in AD would reflect only after the next Indexing schedule. You may modify the schedule in case you want Indexing to happen earlier.

> This is available under "System - Settings - Group Directories"

> Click the relevant connection name - Index settings (The Index and Replication status tab shows when the last replication happened)

Hi

Kreynolds - I really appreciate your explanation. But it seems there is some  other problem related with AD indexing.

The prblem is that the incidents shows users belonging to both groups i.e. newly created group and old group.However I made sure that the user is succesfully moved to new group in AD and doesn't belong to old group in AD.I dont know why in DLP incidents its still finding those users in old groups too.

Denis - I am sure that i have scheduled indexing but it still shows the same problem.

I am not sure where is the problem. This is really diffficult for me now to get rid of it, as it already took around a week with no resolution :-( .

PLease see attached image :

In this image the user now belong to "Exceptions" group in AD and not in "Agent" group.

So, normally it should allow user as it has medium severity but since it also detect the user in "Agent" group for which severity is high it is blocking the user. I am still clueless why its not replicated in correct group in DLP user groups.In AD the user only belongs to "Exceptions" group.

Resolved,

I tried restarting the agents from the enforce server and the trick worked.

What I understood is that the agents may have cached the user info and also the endpoint machine has not been restarted since long. So restarting agent caused to get the most updated group info.

Thanks to all for posting their expert comments.