Hello
You can add some condition on response rule, so you can :
Define two detection policies:
- EDM and encryption keyword (severity = low)
or
- EDM only (severity = high)
Add respose rule to modify email headers including condition that "severity = high"
So this will update email headers when you have only PII detected, and you will also get a DLP incident when you detect PII but with encryption keyword already present in email.
Regards