search cancel

DLP Agent Conditions troubleshooting

book

Article ID: 255440

calendar_today

Updated On:

Products

Data Loss Prevention

Issue/Introduction

Agent is not detecting expected using conditions such as AD group.

Resolution

Several things are needed to confirm if an agent is getting the conditions.

1.) DB export of the conditions.

Use Sql Developer or other tool to login and look at the Protect -> Views -> ConditionView. Then click on the data and export all those entrys.

or run this sql script against the protect database:

  CREATE OR REPLACE FORCE EDITIONABLE VIEW "PROTECT"."CONDITIONVIEW" ("CONDITIONID", "NAME", "TYPE") AS 
  SELECT /*+ MATERIALIZE */ "CONDITIONID","NAME","TYPE"
FROM (
SELECT conditionid, name, type
FROM SenderCondition
UNION ALL
SELECT conditionid, name, type
FROM RecipientCondition
UNION ALL
SELECT conditionid, name, type
FROM DocumentMetaInfoCondition
UNION ALL
SELECT conditionid, name, type
FROM PatternCondition
UNION ALL
SELECT conditionid, name, type
FROM DatabaseInfoCondition
UNION ALL
SELECT conditionid, name, type
FROM DocumentSizeCondition
UNION ALL
SELECT conditionid, name, type
FROM KeywordCondition
UNION ALL
SELECT conditionid, name, type
FROM DocumentNameCondition
UNION ALL
SELECT conditionid, name, type
FROM ProtocolCondition
UNION ALL
SELECT conditionid, name, type
FROM DocumentProfileCondition
UNION ALL
SELECT conditionid, name, type
FROM SenderProfileCondition
UNION ALL
SELECT conditionid, name, type
FROM RecipientProfileCondition
UNION ALL
SELECT conditionid, name, type
FROM DataIdentifierCondition
UNION ALL
SELECT conditionid, name, type
FROM UniversalMetadataCondition
UNION ALL
SELECT conditionid, name, type
FROM DirectoryGroupCondition
UNION ALL
SELECT conditionid, name, type
FROM ConditionGroup
UNION ALL
SELECT conditionid, name, type
FROM BinaryScriptMatchCondition
UNION ALL
SELECT conditionid, name, type
FROM MachineLearningCondition
UNION ALL
SELECT conditionid, name, type
FROM DeviceCondition
UNION ALL
SELECT conditionid, name, type
FROM MapiAttributeCondition
UNION ALL
SELECT conditionid, name, type
FROM FormRecognitionCondition
UNION ALL
SELECT conditionid, name, type
FROM ContextualAttribCondition
UNION ALL
SELECT conditionid, name, type
FROM IctTagCondition
UNION ALL
SELECT conditionid, name, type
FROM AipCondition
UNION ALL
SELECT conditionid, name, type
FROM IcaCondition
UNION ALL
SELECT conditionid, name, type
FROM StructuredDataIdCondition);

3.) Then set the agent logging level to finest, and restart agent.

4.) Gather endpoint logs search for the adding condition string. Compare the expected condition from the Database view. If the condition ID matches on the agent then the condition is on the agent and set for detection. 

Example log:  FINEST  | Detection.CompiledConditionStore | Adding Condition: 50

All condition types listed in the additional information.

Additional Information

0 UNKNOWN
1 SENDER
2 RECIPIENT
3 DOCTYPE
4 REGEX
5 DATABASEINFO
6 COMPOUND
7 DOCSIZE
8 KEYWORD
9 DOCNAME
10 PROTOCOL
11 DOCPROFILE
12 SENDERPROFILE
13 RECIPIENTPROFILE
14 DATAIDENTIFIER
15 UNIVERSAL_METADATA
16 FILE_TYPE_SCRIPT
17 CHANNEL
18 DIRECTORY_GROUP