Data Loss Prevention

Within our Detection Policies, the rules are set to Low Severity until the match count goes to 3, then it goes to Medium, 6 or above, it goes to a severity of High. We want to keep it that way with one exception. If the Policy detects the encryption indicator, in our case, "gosecure", then keep the severity level at Low.

In a nutshell, we're good if an attachment containing sensitive data is sent out as long as it has been encrypted. Notify us of the event, but don't raise the severity. Is there a way to configure the Policy to allow that?

DJacobs,

Unfortunately you will not be able to do this in a single policy. Even if yiou have 2 rules in the same policy, (1 looking for gosecure, and the other not). The violation will take the higher severity setting in a rule matching.

I do this all of the time when it comes to encryption emails etc.

The only way to do this is to have 2 different Policies.

1. The first will have the regular severity match counting settings as you currently have ---Though you will have an exception for the work 'gosecure' in the header or other sections. So this policy will NOT cpatrue anything that has the encryption header.

2. The 2nd policy will then have a detection rule to look for the 'gosecure' and match the data but ONLY have a low Severity setting. This will ONLY capture data if it was sent for encryption. 

You can also make #2 a catch all for all encryption by having this policy look for the keyword 'gosecure' to see what people are sending through.

This way you will still capture the data as an event but have the right severity. You can then also have different response rules for these events. 

I think this is a better approach for you get better reporting analytics to see if people are using encryption.

Good Luck

Ronak

PLEASE MARKED SOLVED WHEN POSSIBLE

DLP Solutions2,

That is a perfect solution. I just implemented the modifications and it does exactly what we needed. Thank you!

Dave