If you want to create a DLP policy which will trigger incident on email sent only outside off normal office hours. You could let it run all time an delete all incidents happening during business hours, but it is better to define this directly in your policy.
In order to do this, you could use a rule based on a data identifier with following parameters :
Pattern: Date\: \w{3}\, \d{2} \w{3} \d{4} \d{2}\:\d{2}\:\d{2} Normalizer: Do nothing
and look for this only in message enveloppe only. Of course it will be there in all messages...so you must add a custom script validator in your DI which will check at what time this message was sent.
$t1 = getIntegerAt($match, 0x17, 1); $t2 = getIntegerAt($match, 0x18, 1); $t1 = multiply($t1, 10); $Hour = Add($t1, $t2); $ShiftedHour = Add($Hour, 4); $NewHour = mod($ShiftedHour, 24); assertTrue($NewHour <= 10);
I supposed that business hours are from 6:00 to 20:00 (local time). You can compound this DI with any detection rule in order to have your rule matching only on email sent outside off normal office hours. This could be used also for policy only needed on certain year period,....