search cancel

Group Rule appled to policy does not lower the severity as expected

book

Article ID: 212836

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent

Issue/Introduction

  • You have configured a policy with a detection rule assigning a 'high' severity
  • You want to reduce that severity to 'info' using a Group rule if, for example the recipient domain is on an approved list
  • You have a response rule configured to block only when the severity is 'High'
  • When you test the policy however, you find that all incidents are created with high severity - even the ones that match the Group rule criteria

Environment

Release : 15.x

Component : Policy

Resolution

This behavior is as designed.

The highest severity identified in the detection rule or the group rule will be taken as the severity of the incident

The only way to achieve the desired result in this case would be through a separate policy