Hello,
I would like to reduce number of false positive incident in DLP and in order to achieve this task i would like to exclude email which contains a specific type of file from monitoring. But dont want to exclude them if it contains some other file in the same email. Detection rule are not based on the content of this file but on some other aspects of email content.
So if i add an exclusion on this type of file, i will miss email which contains this type of file and some other sensitive document.
If i add this exclusion just removing this component from analysis, i wont reject any false positive (as detection rules are based on some other part).
I would like to reject all message when it contains this type of file only and no other attchament.
And it seems there is no way to define number of attachment threshold in detection policy (at least i didnt find any way to do that). Does anyone there already succeed in doing such type of exclusion rule ?