Data Loss Prevention

 View Only

  • 1.  Incidents are being detected at the Endpoint but not the Network

    Posted Dec 02, 2018 11:04 PM

    Hello.

     

    I have a policy to detect social security numbers.  The policy does detect incidents at the endpoint via outlook application and is being successfully reported at the enpoint reports tab.  The problem is we are also expecting the social security incident to also be reported and detected at the Network Detect ( Email detection) channel and unfortunatly its doesnt get detected at that (network) channel.   

    When I create a new policy which specifies the SMTP protocol to be detected, it does get detected and reported at the Network reports tab, so we know that network SMTP detection is working. 

    Can someone verify if one incident gets detected and reported at the endpoint, does that same incident also get detect and reported at the network detect?  Or does incidents only get detected at one detection channel, to reduce the same incidents from getting detected mulitple times ( through different channels).

    Thanks!

     

     

     

     

     



  • 2.  RE: Incidents are being detected at the Endpoint but not the Network

    Posted Dec 03, 2018 04:28 PM

    Hi Neil 

     

    It should be detected on the two channels.

    if the action is block in the endpoints , so the email won't leave the endpoint so that it didn't get detected on the Network channel.

    Please create a keyword policy and try to send this keyword to external recepient it should be detected on the Endpoint & the network 

     

    Thanks 

     



  • 3.  RE: Incidents are being detected at the Endpoint but not the Network

    Posted Dec 05, 2018 02:50 AM

    Hi Neil,

     

    Have you got your MTA configured in the server settings? Also check that the email detection server isn't in trial mode. To do this go to system - Servers/Detectors and click on over view, click on your mail prevent and then configure. You should see a box that says Trial mode.

    If this has a tick in it then take the tick out.

     

    Please let me know how you get on, and then we can troubleshoot some more.

     

    Thanks



  • 4.  RE: Incidents are being detected at the Endpoint but not the Network

    Posted Dec 05, 2018 06:25 PM

    On the polcy, we habe 3 autoreponse rules.

    1) Notify: 

    You are attempting to move, copy, save, or transfer potentially sensitive information containing $POLICIES$. The Risk Management department received an alert about this activity and may follow up with you.

     

    2) Notify: Endpoint Prevent: User Cancel .   This allows user to enter an explination and then it allows the email through.

     

    3) Send an email to DLP administrator.

     

    -----

    I just tried a test keyword block and the incident was detected at the Incident > Network report tab.  It was not detected or reported at the Incident > Endpoint .