Group Rule applied in a DLP policy is not setting the severity as expected


Article ID: 184509


Updated On:


Data Loss Prevention


  • You have a detection rule in a policy that defaults to a medium severity.
  • You have also defined a Group Rule in the policy that modifies the severity to Low under certain circumstances.
  • However you see that, even though the Group Rule criteria are met, the incident is created with medium severity. 


This is by design, modifications to the severity of the base detection rule can only be increases not decreases


14.x, 15.x


Redefine your policy so that the detection rule defaults to a lower severity than the level of the Group Rule.


See also: Severity of an incident is being set based on the total number of matches for a policy, instead of total number of matches for a rule