Data Loss Prevention

Using some of our policies, we have noticed that a large number of emails containing a certain attachment have caused a huge spike of false-positives within our DLP system. We have attempted to use the exclusion rule to exclude attachments with certain names but it appears to not check the name but rather just the inside content. How can someone exclude certain attachments by name? (the name is generally the same but with a variety of different types of spelling, so some people place a space between the two words, or a hyphen between them.)
 

 

Also, is there a way within DLP to say if the incident has a certain number of hits (say, over 50) to go ahead and not generate an incident and let it go?

For the first question:

you can add a exception to exclude all the attachment, by using file attribute rule.

For the second question:

You can modify the condition of your policy.

Thank you for the response, using the file attribute rule wouldn't that just mean if it is a .xlsx or .pdf then it lets it go without looking into it? That'd be unrealistic in our use and we are looking for something that can read the attachments name and if it matches a variety of things we have specified then doesnt generate a hit.

It doesn't appear to have an area where I can make a condition that if the incident has like 50 hits to ignore the incident.

There is a condition type for "Message Attachment or File Name Match".  This has always worked as advertised as far as I'm aware, but you might have it misconfigued.  If that's the condition type you used for your exception, did you select the "Entire Message", or "Matched Components Only" option.  This would come into play if you have a compound exception, and if it's NOT a compound exception, you should have "Entire Message" selected.  "Matched Components Only" in this context does not do what you might think...it's only applicable to the exception itself, not the component that's being matched by the rule in your policy. 

The pattern you use for the file name in this condition type can follow the DOS convention with wildcards, etc, and can be a list of file names/patterns.

Also, please realize that an exception of this type is risky.  If you tell the system to except a message where the file name is myspreadsheet.xlsx, then it's going to except it whether that's the only attachment, or one of many attachments.  So I could then send out an email that goes undetected by DLP if it has the attachments myspreadsheet.xlsx and sensitive-customer-data.docx (where the Word document does indeed contain the sensitive data you are looking for).

In general, I would not advise using this kind of exception in tuning for false positives, as it is not good practice.

 

~Keith

Yeah as of right now it excludes the entire email if it matches any keyword I specified. I will probably go with the attachment you said due to this policy not having a risk of customer data exposure. Is there a way to exclude different varieties of keywords? The keyphrase would be any attachment that includes say "thisxxx.xslx" but I want it to exlude it if the person adds someones name before it or in any variety. Like "john-testxxx.xslx", "test-xxx.xslx" or "john.test.xxx.xlsx"

I only used the Keyphrase exclusion rule

Well there's your issue then.  You need to use the "Message Attachment or File Name Match" condition type.  And yes, you can wildcard the file names you list in there, so in your example, you might do a list of files like:

• test.xlsx
• *test.xlsx
• test*.xlsx
• *test*.xlsx

Again, not that I recommend doing this, but you could and it would work.

 

~Keith