search cancel

Group Rule appled to policy does not lower the severity as expected


Article ID: 212836


Updated On:


Data Loss Prevention Endpoint Prevent


  • You have configured a policy with a detection rule assigning a 'high' severity
  • You want to reduce that severity to 'info' using a Group rule if, for example the recipient domain is on an approved list
  • You have a response rule configured to block only when the severity is 'High'
  • When you test the policy however, you find that all incidents are created with high severity - even the ones that match the Group rule criteria


Release : 15.x

Component : Policy


This behavior is as designed.

The highest severity identified in the detection rule or the group rule will be taken as the severity of the incident

The only way to achieve the desired result in this case would be through a separate policy