Message body Metadata tag in O365 Excel triggering false positive incident for Endpoint Prevent

book

Article ID: 173645

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

Data Loss Prevention 15.1 Endpoint Discover.

When a user opens an O365 Excel file a false positive incident is being created based upon a metadata tag for the file name.

Examples:
ssn: Contract Roll UP Accounts
ssn: List of Work Orders

The "ssn:" appears to be a metadata tag for the file name.
"Contract Roll UP Accounts" and "List of Work Orders" are two file names for which the false positives are being generated.

The body of the two files does not contain any SSN numbers.
It does contain numbers that match the requirements for SSNs, but they are not SSNs.
Such as 388829456 or 895972402.

 

Resolution

Set up an exclusion for the word combo that is common to almost all of the recent incidents.

In this case, the incidents have ' {"G": ' followed by a nine digit number that mimics an SSN, followed by ' "T" '.
Used a keyword proximity matching condition for the G and T and it eliminated the false positives.