How the policy rule setting "All recipient must match (Email only)" works in DLP.

book

Article ID: 169546

calendar_today

Updated On:

Products

Data Loss Prevention Network Prevent for Email Data Loss Prevention Data Loss Prevention Cloud Prevent for Microsoft Office 365

Issue/Introduction

The setting "All recipient must match (Email only)" is confusing and difficult to understand. 

Environment

Symantec Data Loss Prevention (DLP) Network Prevent for Email

Symantec Data Loss Prevention (DLP) Cloud Prevent for MS Office 365

Resolution

Here we explain a number of test cases which demonstrate how the setting works. 

  • If the cell is empty then the recipient is not listed in the mail being sent. 
  • If you have 3 recipients [email protected], [email protected], [email protected] specified in the rule then an incident will match in the following cases where each is listed in the email To:
Email Test       Incident
1 [email protected] [email protected] [email protected] Yes
2 [email protected] [email protected]   Yes
3 [email protected]     Yes

 

  • If you add an additional recipient [email protected] to the email being sent then no incident will be created with any of the above recipients as follows:
Email Test         Incident
1 [email protected] [email protected] [email protected] [email protected] No
2 [email protected] [email protected]   [email protected] No
3 [email protected]     [email protected] No

 
With regards to the other setting “At least (#) recipient must match” the outcome is different as we could enable that option with the value of  # = 1 and have the following results:

Email Test         Incident
1 [email protected] [email protected] [email protected] [email protected] Yes
2 [email protected] [email protected]test.com   [email protected] Yes
3 [email protected]     [email protected] Yes
4       [email protected] No

 

So the email would, in that case, need to contain at least 1 of the 3 recipients [email protected], [email protected], [email protected] but can also include any other email recipients outside of those listed in the rule which will trigger an incident whereas the “All recipient must match” cannot.