Data Loss Prevention

 View Only

  • 1.  Serverity Levels Always High - Not Setting Properly

    Posted Oct 30, 2018 09:11 PM

    Hi, I was wondering if anyone else ran into theis problem or if you could point out what I'm doing wrong.

    I've been building some policies in my test system, and am buiding the policy with the following severity levels:

     

    Default: "Info"

    Set Severity: "High" - When Match Count: "Is Greater Than or Equals" - "100" matches

    Set Severity: "Medium" - When Match Count: "Is Is Between" - "50" to "99" matches

    Set Severity: "Low" - When Match Count: "Is Is Between" - "10" to "24" matches

     

    There is a response rule in place to log to a syslog server regardless of classification level.

     

    Symptom: Incidents are generated, but even if the incidents have only two or three hits they are marked as "High".

     

    Any advice on where things are misconfigured?



  • 2.  RE: Serverity Levels Always High - Not Setting Properly

    Posted Oct 31, 2018 02:39 AM

    Hi Josh,

    Did you perhaps add a rule in the Groups Tab and by accident leave the Default Severity setting there on High?

    Constant



  • 3.  RE: Serverity Levels Always High - Not Setting Properly

    Posted Oct 31, 2018 12:06 PM

    Hi Josh,

     

    By the looks of it the default isn't kicking in, you could maybe create another set severity, to set severity: 'Info' When Match Count: "Is Is Between" - "1" to "9" matches.

     

    Is it possible to try that and let me know if that works? If it does there could be a bug.

     

    Thanks

     

     



  • 4.  RE: Serverity Levels Always High - Not Setting Properly

    Posted Oct 31, 2018 12:20 PM

    Thank you for the replies! 

    Constant, there are no groups in the policy.

    Alan, I have added the "Info" severity level and criteria with no change in results. I even tried to assign the default severity to "Medium", removed the severity rule that set it to "High", and they are still showing as "High" in the console.

    Odd.... might have to open a ticket.

     



  • 5.  RE: Serverity Levels Always High - Not Setting Properly

    Posted Oct 31, 2018 12:30 PM

    What version of DLP are you using? I can see if i get the same issue as you and if so we know for sure its a bug.

     

    I am also assuming you triggered some policies to test?

     

    Thanks



  • 6.  RE: Serverity Levels Always High - Not Setting Properly

    Posted Oct 31, 2018 12:42 PM

    We are currently on 15.0 MP1

    Yes, I tried to disable and re-enable to policies after updates to no success. The number of matches in the resulting incidents are correct but the severity is completely wrong.



  • 7.  RE: Serverity Levels Always High - Not Setting Properly

    Posted Nov 01, 2018 04:36 AM

    I'll take a look and let you know my result.

     

    Thanks



  • 8.  RE: Serverity Levels Always High - Not Setting Properly

    Posted Nov 08, 2018 09:35 AM

    If this is occurring with email prevent we had the same issue and a hotfix was required to correct it. we were at a lesser version level than you but the problem may be the same.



  • 9.  RE: Serverity Levels Always High - Not Setting Properly

    Posted Nov 08, 2018 09:49 PM

    Oddly enough, it is happening with the O365 Securelet. Not sure if it's scanned the same way as the Network Prevent for Email product. Thanks!

     

    Sounds like I need to open yet another another ticket for a documented issue that is not shared on the support site. I already have one being worked because quarantine isn't working (disabled SMB v1 on the network and there is a private hotfix), but thay are hesitant to give me until they "further troubleshoot the issue"..