Data Loss Prevention

Hi, I need some help to create a policy/rule that only generates an alert based on only 1 recipient whereas the recipient can be any domain.

I found a similar thread but this seems to feature multiple recipient/domain count mechanism. My requirement is to craft only based on 1 recipient only within the email.

Thank you for the response in-advance.

Reference: https://www.symantec.com/connect/forums/rule-based-count-recipient

Hello,

You can define either specific sender or recepient to generate slert for. Define the rule you want to trigger and go to the group section of the Policy,

Select the Recipient Matches Pattern and clieck Next. You will see the screen something as shown below:

Define the repient Email you wish to triger alert for. You can also define Domain as well.

Is this something you were looking for?

Hello

if you want to have one incident each time you analyze an email with one and only one recipien t(what ever domain it is) you may count number of times you find "@" in enveloppe of your email.

 Depending on your messaging system, you will have one for sender (this one is sure) but it may be present into several headers, one for messageID and one time per recipient. Best way to know default count for your messing system is to first set a policy countin gnumber of times your found "@" in email enveloppe (you may have some false positive due to some information not always present in email envellope).

As always with policies based on recipient, you may have to decide if you want to count internal recipient or not, and sender himself (as some people add their email address as recipient in cc or bcc)

 regards.