I am trying to figure out how to reduce false positives and am hoping that someone could give me some advice.
I want to add a "NOT" operator to a rule (x AND y AND NOT z)
I.e. Rule: content matches "foo" AND content matches "bilbo" w/5 "gandalf" AND NOT content matches "foo.com"
The rule and exceptions as they read are not paired together, so the logic can't be as granular.
RULES (content matches "foo" AND content matches "bilbo" w/5 "gandalf")
EXCEPTIONS ( content matches "foo.com")
If I could use an AND NOT operator within a rule I could get around this limitation. Am I wrong? Is there anyway to be more selective?
As an explanation, I'm trying to find out when client data (confidential) is emailed to an external domain that is not in the client's domain list. That means that I have to use client name terms matched with confidential terms with a group recipient exception for the client's domain names. The excessive false positives occur where some of the terms are included in valid communications that fall outside of the client's domain. This happens because the confidential or client name terms are too common, but without classification metadata fields the content tends to be pretty nebulous.