Viewing or editing conditions and thresholds

Administrator Help | Forcepoint DLP | Version 8.6.x

Click a hyperlink in the Properties column on the Condition tab of the custom policy wizard to view and edit the properties of a condition line, including the name, description, and a variety of other details.


	Note See Fingerprint classifiers for information about additional configurable properties that are unique to fingerprint classifiers.

A condition's threshold is the number of matches that trigger an incident. Select one of the following:

Use At least to select the minimum number of matches that must be made. Valid values are 1-999.

Use Between to select an exact range of matches that must be made. Valid values are 1-999.

Use No match exists to trigger the rule if there are no matches.

With dictionary classifiers, the weights of the dictionary's phrases are taken into account when determining if a threshold is reached. See Adding a dictionary classifier.

Define how the threshold numbers are calculated:

Count only unique matches for the transaction. Note that case differences are counted separately for word-related classifiers. For example, word, Word, and WORD would return 3 matches when this option is selected.

Count all matches, even duplicates.

Under Analyzed Fields, view and select the fields to search for this content classifier.

Select Search all available fields to search content fields that pose the highest risk of a policy breach. The fields are searched for the specified key phrases, regular expressions, dictionary terms, or fingerprints. This is the default.

Select Search specific fields to identify one or more fields to search. The fields apply mainly to the email destination channel.

Field

Description

File/attachment

Search files or attachments for each chosen destination channel.

File metadata

Search the metadata of files or attachments.

Subject

Search only the subject line of messages.

Body

Search only the main body of a messages.

From

Search only the From field of a message.

Search only the To field of a message (email only).

Search only the carbon copy field of a message (email only).

Bcc

Search only the blind carbon copy field of a message (email only).

Other header

Search in headers that are not covered by the above options:

Search in All headers not covered in the above options. Includes all standard headers—Date, Message-ID, or Importance—as well as non-standard headers (x-headers, including x-mailer, x-spam-reason, and x-origin-ip) added during the sending of an email.

Search in User-defined header. Some organizations define x-headers to add custom information to the email message header. For example, they might create an x-header such as "X-MyCompany: Copyright 2017 MyCompany".

After selecting this option, enter the header name.

If a selected field is not found in a transaction, it is ignored.

For email messages, only sent email is analyzed. (When users save messages rather than sending them, breaches are not detected.)

Some fields do not apply to all channels, and are ignored for any non-applicable channel.

Fingerprint classifiers

The Properties link for a database classifier opens a page with two tabs: General and Properties. Use the General tab for field selection and the Properties tab to define the threshold and email fields described in above.

For database records classifiers, the page displays table field (or column) names. Select the fields to scan (up to 32 per table).

For endpoints, the number of fields selected for a database fingerprinting classifier can affect accuracy. For the most accurate results, scan 3 or more fields.

If only one field is being scanned, set a minimum threshold of 5 to reduce the likelihood of unintended matches. (When an administrator attempts to set a lower threshold, the system changes it to 5.)

If 2 fields are scanned, set the minimum threshold to 3 or more. (Trigger an incident when 3 or more field1/field2 combinations are detected.)


Number of Fields	Minimum Threshold
1	5
2	3
3 or more	1


	Note If a condition applies to both network and endpoint resources, the threshold is changed for the endpoint only. Network resources retain the threshold you define on the Properties tab.

For more information on creating fingerprint classifiers, see Database fingerprinting.