Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Creating Custom DLP Policies > Custom Policy Wizard - Condition
Custom Policy Wizard - Condition
Administrator Help | Forcepoint DLP | Version 8.5.x
Related topics:
*
Classifying Content
*
Custom Policy Wizard - Severity and Action
Use the Condition tab of the custom policy wizard to define the logic of the rule.
*
Select one or more content classifier conditions.
*
Generate logic between the conditions using and, or, not, and parentheses. This logic should be based on the organization's business rules. For example:
A bank uses a file fingerprinting classifier to identify a blank application form. Administrators create a custom policy with the following rules:
*
Because the blank form is for marketing purposes, and the organization wants people to fill it out to apply for loans, one rule that says if the fingerprinting classifier for the blank form is matched, permit it to be sent from all sources to all destination channels.
*
A second rule is constructed so that when the form contains a social security number and the word "income," it is a loan application is permitted to go to one destination: the loan department. It is blocked from all other destinations.
The condition logic states: when the fingerprinting classifier is matched AND a social security number pattern is matched AND the key phrase classifier "income" is matched, it is a standard loan application: 1 AND 2 AND 3.
*
A third rule to the policy states that when content contains the social security number and the word "income," as well as the keywords "residential" or "deed," it is a mortgage application: 1 AND 2 AND 3 AND (4 OR 5). Permit it to be distributed to the mortgage department and title insurance partners.
To define the rule logic:
1.
Use the drop-down box next to This rule monitors to select one of the following options:
*
To trigger the rule on any content without analysis, select All activities. This may lead to large numbers of incidents.
*
To monitor one or more specific classifiers, select Specific data, then use the in drop-down list to indicate when to trigger incidents.
*
Select all parts of the transaction as a whole to trigger an incident if the sum of all matches in the transaction exceeds the configured threshold. For example, if the threshold is 3, then a transaction with 2 matches in the message body and one match in the subject line triggers an incident.
*
Select each part of the transaction separately to trigger an incident triggered only when the threshold is reached in any one part of the transaction. For example, there would have to be 3 matches in the body or 3 in the subject line or other message part for an incident to be triggered.
2.
Click Add, then use the drop-down list to:
*
Select Patterns & Phrases to add a regular expression, key phrase, script, or dictionary classifier.
*
Select File Properties to add a file name, type, or size classifier to the condition.
*
Select Fingerprint to add a file or database fingerprint classifier to the condition.
*
Select Machine Learning to add a machine learning classifier to the condition. Machine learning lets administrators provide examples of the data that to protect, so the system can learn from them and identify items of a similar nature.
*
Define a Transaction Size to detect transactions of the specified size or larger.
*
Define a Number of Email Attachments (email transactions only) to detect email messages with a certain number of attachments or greater.
*
Define a Number of Email Destinations (email transactions only) to detect messages sent to a specified number of domains or greater.
To delete a condition from the rule, select the condition and click Remove.
To edit a condition's threshold (the number of matches that trigger an incident), click a hyperlink in the Properties column. See also, Viewing or editing conditions and thresholds.
With dictionary classifiers, the weights of the dictionary's phrases are taken into account when determining if a threshold is reached. See Adding a dictionary classifier for more information.
3.
Repeat the previous step to add additional content classifiers, as needed.
4.
If more than one condition is defined, indicate when the rule should be triggered:
*
If all of the selected conditions must be matched to trigger the rule, select All conditions matched.
*
If only one of the selected conditions must be met, select At least one of the conditions matched.
*
To define conditions for the rule, select Custom, then:
*
Double-click a condition name to add it to the formula box.
*
Click the And, Or, or Not button to define a condition.
Optionally add parentheses, as in any mathematical operation. For example:
(1 AND 2) OR (3 AND 4) OR 5
Each number corresponds to a condition (1 is the first condition, 2 is the second, and so on).
*
Double-click another condition name.
*
Continue until the condition is fully defined.
Click the information icon on the right of the box to view a precise description of the condition that has been defined.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Creating Custom DLP Policies > Custom Policy Wizard - Condition
Copyright 2017 Forcepoint. All rights reserved.