Severity of an incident set by number of matches by policy not by rule

book

Article ID: 160765

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Network Monitor Data Loss Prevention Network Prevent for Email Data Loss Prevention Network Prevent for Web Data Loss Prevention Network Protect Data Loss Prevention Endpoint Discover

Issue/Introduction

Severity of an incident is being set based on the total number of matches for a policy, instead of total number of matches for a rule.

Resolution

The root cause appears to be part of the design of applying severities, Symantec DLP only creates and operates a single incident per policy. Enhancement PM-760 has been filed for the observed behavior.

As reference see the DLP Administration Guide:
The system supports fine-grained policy development. Each detection rule within
a policy is assigned a severity level. The detection engine determines the overall
severity of an incident by the highest severity rule triggered. You can apply a
detection rule to a specific message component, such as the header, body, or
attachments.

At this point, the only real workaround we could propose would be to create separate policies for the various severities.  In that way, their process could be to track all incidents but only react to high severity ones. 

If in case you want to set severity level of incident based on overall match count, you can try below work around.

  1. Keep default severity level in all rules as Info
  2. Add Severity conditions in each rule shown in attached figure.

For example:

  • Set severity to Low if when match count is greater than or equals 5
  • Set severity to Medium if when match count is greater than or equals 10
  • Set severity to High if when match count is greater than or equals 50

Afterwards, set appropriate Response Rules then based on severities:

Attachments