How to exclude unwanted Unknown File Types from Network Prevent for Web detection.
search cancel

How to exclude unwanted Unknown File Types from Network Prevent for Web detection.

book

Article ID: 272839

calendar_today

Updated On:

Products

Data Loss Prevention Enterprise Suite Data Loss Prevention Network Monitor and Prevent for Web Data Loss Prevention Network Monitor and Prevent for Email and Web Data Loss Prevention Network Web

Issue/Introduction

We have a policy to look for unknown file types, however it seems to be pulling back cookies and we need to exclude such unwanted detections. 

Environment

Release : 16.0

Resolution

Suggested ways to exclude the unwanted incidents when monitoring all "Unknown File Types" would be as follows: 

1. In your policy add a rule to monitor the file size above the typical size of these files to exclude them.
2. Think of identity-based exceptions for either the sender or the recipient URL i.e. if you expect that a specific website will generate lots of these incidents you don't want exclude that domain. 
3. In some cases you can eliminate unwanted non-user-generated traffic on the proxy side so it doesn't reach the detection servers. 
4. If these unwanted/invalid incidents are browser tracking there certainly should be some common pattern in the message body for these incidents. So if these unwanted incidents all share some sort of common keyword or text pattern in the message body you might be able to use that in an exclusion rule. For example: "dd-request-id" is present in your sample incident. With that said at the same time you must ensure this does not lead to the exclusion of valid incidents and you would need to check the message body of previous legitimate incidents. It would take some investigation into identifying the valid from invalid incidents.