search cancel

Contextual Attributes Exceptions rule may prevent file-reader from starting (on-prem)

book

Article ID: 175446

calendar_today

Updated On:

Products

Data Loss Prevention Cloud Prevent for Microsoft Office 365 Data Loss Prevention Enforce Data Loss Prevention Cloud Detection Service

Issue/Introduction

Contextual Attributes are ONLY for cloud (REST) policies. In certain circumstances on specific versions, this rule may prevent the file-reader from starting when applied to on-prem detection servers.

 

Noted circumstance:

Contextual Attribute EXCEPTION rule for Application Name > Securlet > "Office 365 Email" will prevent file-reader from starting if applied to on-prem detection server policy groups.

 

File Reader:

 

Jul 15, 2019 11:22:06 AM com.vontu.detection.execution.ExecutionInfoBuilder registerExecutionUpdateObserver

INFO: Registered matcher updater observer.

Jul 15, 2019 11:22:06 AM com.vontu.detection.policy.PolicyManager start

INFO: Waiting for policies... If this process waits for policies for long, please check MonitorController.log for policy publishing errors in MonitorController.

Environment

Affected versions:

14.6.x

15.1.x

Version 15.5.x is not affected by this issue.

Cause

The root cause is under investigation.

Resolution

1. Do not apply contextual attribute rules to policy groups with on-prem detectors.

2. Upgrade to DLP version 15.5 +.

 

Note: It is recommended that you create a "Cloud Only" policy group when you utilize any cloud type policies. It is considered good practice to have separate policy groups for detection types. An example of this practice would include having separate policy groups based on DAR, DIM, Cloud, and Endpoint. You can then apply only the corresponding detection servers to these specific policy groups. I.E. Endpoint policy group would only include endpoint servers and not email etc.

Additional Information

Note that while it is a Cloud Detection Server, a Detector configured for the Web Security Service (i.e., the WSS cloud proxy, which uses the ICAP protocol to send data to the Detector) is also NOT expected to utilize the Contextual Attributes field. The current versions of Enforce (through 15.7 at least) also contain "Cloud Web Proxy" option in the Contextual Attribute "Application Type". This is no longer valid option for WSS Detectors and although it won't break the Detector processes, it will not match any incident conditions and should not be used.