What DLP Rule Conditions Will Cause Two Tier Detection
Article ID: 160344
Updated On:
Products
Data Loss Prevention Enforce
Issue/Introduction
You want to know which Symantec Data Loss Prevention (DLP) rules will cause two-tier detection.
Resolution
The table listed below outlines which policy conditions will cause two-tier detection to occur.
The Endpoint Agent is capable of detecting derivative IDM matches locally on the Endpoint and will not generate a two-tier detection. However, two-tier detection can be specifically enabled for the agent via the "Detection.TWO_TIER_IDM_ENABLED.str = ON"
| Detection Tab | Two Tier Detection | Technology |
| Rule Conditions: | ||
| Content: | ||
| Content Matches regular expression | no | DCM |
| Content Matches Exact data form | yes | EDM |
| Content Matches keyword | no | DCM |
| Content Matches Document Signature Form | no [not by default] | IDM |
| Content matches data identifier | no | DCM |
| Detect using Vector Machine Learning profile | no | VML |
| File Properties: | ||
| Message attachment of File Type Match | no | DCM |
| Message attachment of File Size Match | no | DCM |
| Message attachment of File Name Match | no | DCM |
| Custom File Type Signature | no | DCM |
| Protocol: | ||
| Protocol or Endpoint Monitoring | no | DCM |
| Endpoint Device Class or ID | no | DCM |
| Endpoint Location | no | DCM |
| Group Tab | ||
| Rule Conditions: | ||
| Sender/User Matches Pattern | no | DCM |
| Recipient Matches Pattern | no | DCM |
| Sender/User matches User Group | ||
| Sender/User based on a Directory Server group | no | DCM |
| Sender/User based on a Directory Form | yes | EDM |
| Recipient matches User Group | ||
| Recipient based on a Directory Server Group | yes | EDM |
| Recipient based on a Directory Form | yes | EDM |
| Also Match Section: | ||
| Content matches Data Identifier | no | DCM |
| Content matches keyword | no | DCM |
| Content matches Regular Expression | no | DCM |
| Custom File Type Signature | no | DCM |
| Endpoint Device Class or ID | no | DCM |
| Endpoint Location | no | DCM |
| Message attachment or file name match | no | DCM |
| Message attachment or file size match | no | DCM |
| Message attachment or file type match | no | DCM |
| Protocol or Endpoint Monitoring | no | DCM |
| Recipient based on a Directory Server Group | yes | EDM |
| Recipient matches pattern | no | DCM |
| Sender/User based on a Directory Server Group | no | EDM |
| Sender/User Matches Pattern | no | DCM |
Feedback
Yes
No
Powered by
