Message body Metadata tag in O365 Excel triggering false positive incident for Endpoint Prevent
search cancel

Message body Metadata tag in O365 Excel triggering false positive incident for Endpoint Prevent

book

Article ID: 173645

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Data Loss Prevention Plus Suite Data Loss Prevention Core Package Data Loss Prevention Endpoint Suite Data Loss Prevention Enterprise Suite

Issue/Introduction

When a user opens an O365 Excel file a false positive incident is being created based upon a metadata tag for the file name.

Examples:
ssn: Contract Roll UP Accounts
ssn: List of Work Orders

The "ssn:" appears to be a metadata tag for the file name.
"Contract Roll UP Accounts" and "List of Work Orders" are two file names for which the false positives are being generated.

The body of the two files does not contain any SSN numbers.
It does contain numbers that match the requirements for SSNs, but they are not SSNs.
Such as 388829456 or 895972402.

Environment

Data Loss Prevention 15.x Endpoint

Resolution

Set up an exclusion for the word combo that is common to almost all of the recent incidents.

In this case, the incidents have ' {"G": ' followed by a nine digit number that mimics an SSN, followed by ' "T" '.
Used a keyword proximity matching condition for the G and T and it eliminated the false positives.
 

Powered by Wolken Software