Custom keyword validators not working for Social Security Number or credit card narrow breadth policy


Article ID: 160394


Updated On:


Data Loss Prevention Enforce


You are using a Social Security Number (SSN) or Credit Card Number (CCN) narrow breadth policy on Symantec Data Loss Prevention (DLP), and have added your own list of keyword validators to the policy, but they do not seem to be working.


The narrow breadth Data Identifiers all have built-in validators that cannot be changed. In the case of keyword validators, that list is fixed.  The Data Identifier keywords are evaluated before the optional validators.  As a result, new keywords cannot be added to a Data Identifier with predefined values.  The optional validator list can be used to reduce the number of keywords, not increase.

There are two possible courses of action:

Create a new Data Identifier

  1. Log into the DLP Enforce server
  2. Hover over Manage, then policies
  3. Select Data Identifier
  4. In the top left select Add Data Identifier
  5. Give the Date Identifier a name and description.
  6. In the patterns section, you can add one or more patterns separated by line breaks
  7. In the section titled Validators, you can select from a list of predefined validators or you can select custom script.

Change the breadth of the Data Identifier to either wide or medium

  1. Log into the DLP Enforce server
  2. Hover over Manage, then policies
  3. Select Policy List
  4. Find the policy that you need to change and click on it to open it.
  5. Open the rule that has your SSN date identifier in it.
  6. Under conditions, you will see an option for Breadth
  7. Select Medium
  8. Then find the "Also Match" at the bottom of the screen
  9. Select "Content Matches Keyword" from the drop-down.
  10. Select Match type and Key work Separator
  11. Add your list of keywords in the "Match any Keyword"