Group Rule applied in a DLP policy is not setting the severity as expected

book

Article ID: 184509

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

  • You have a detection rule in a policy that defaults to a medium severity.
  • You have also defined a Group Rule in the policy that modifies the severity to Low under certain circumstances.
  • However you see that, even though the Group Rule criteria are met, the incident is created with medium severity. 

Cause

This is by design, modifications to the severity of the base detection rule can only be increases not decreases

Environment

14.x, 15.x

Resolution

Redefine your policy so that the detection rule defaults to a lower severity than the level of the Group Rule.

 

See also: Severity of an incident is being set based on the total number of matches for a policy, instead of total number of matches for a rule