Data Loss Prevention

Hi Guys,

I am configuring new DLP new policies to block sharing of confidential information via mail using endpoint monitoring via outlook. The environment already has existing policies that are monitoring and regulating movement of data via mail on outlook through the endpoint. The new policies however are not detecting any incidents via mail on outlook yet we have tried to simulate the incidents.Plus I am using the same response rules and agent configurations that the current functional policies are riding on. What other features could I consider to solve this issue?

LLoyd,

Are you sure that they are not firing? With the newer agents, it takes about 20 minutes for them to sho up in the DLP console. Also make sure you restarted the agent so it gets the new policies.

Is there an incident when it comes to any of the NEW Policies. - Regardless of a block or just a reporting of the violation.

The issue may be due to the NEW policy, can you provide the details or screenshots. If the policy is based on a new Data Identifier, then that could be the issue. I have seen it where the DI is badly written and stops detection.

Do you have the right policy group associated to the new policy so it works on the Endpoint Server?? Check your policy groups.

The more info on the policy the better...

Good luck!

Hello,

Policy Groups that are actually in operation and the agent's communication with the console.
Also check that you have no Incident Queue.

Regards

Hi Guys,

I will send through the screen shots as soon as I get the chance. The policies can successfully detect incidents on USB transfers and HTTP/HTTPS with tthe Keyword match and file type mactch but not on Outlook. I have assigned the polices to a the same policy group that all the current functioning policies are on. I have also cross checked the polciy configuration and outlook is selected among the channels to monitor. I also went as far as re-installing agents after making necessary changes to ensure that the new policies and changes are picked by the agents.

Hi Guys,

I have attached the screen shots, please review them and advise.

Hi

The agent configuration has change or always is the same?
From Agent/Agent Group the Agent configuration tab is ok or has any warnning ?

If you remove all the exceptions for do a test, what happens?

Regards

I agree with Tokyo2040.

Strip the policy down to bare bones.  No exceptions in the policy.  No response rules.

Then send an email with a Word doc attached that violates the keyword match.  See if that results in an incident.  At least we'll begin to narrow down the source of the problem.

I would take out the requirement of the file type just see if the detection works on the keyword and not the file type...

This will see if the outlook plugin is really working.

You may need to re-install the agent. Make sure that when you install the agent 'Run as administrator'

Good Luck

Ronak

If this policy is for Endpoint should be the Option on Servers:  Endpoint Prevent check?

When "All Servers" is checked, the other options are greyed out.

Hi Guys,

So I managed to get a solution. I removed all policy excpetions and configured endpoint notification action in the response rule. I also added the sender domain pattern in the detection rules(*@xyz.org, *xyz.org) in addition to the file type and keyword match. I observed the incidents for a day and the policy had quite some hits identifying matches in the file type, keyword and sender domain pattern.

lloyd..

So it looks like the issue is with the policy exceptions. 

One thing to keep in mind that wildcards do not always work in certain areas of the system. So make sure to get them working before you start adding exceptions. Thsi will help you know where the issue lies..

As you get more experience you will know what works and what does not.

Good Luck

Ronak