Hi @nduda ,

I think what you want is NOT (( P0 OR C0 ) NEAR (C1 OR C2))

Not sure, but hope it helps.

Regards,

Òscar

No go. I don't think using NOT for this scenario is possible. 

 Invalid syntax in rule expression, check the position of the NEAR operator along with opening and closing parenthesis.

Hello @nduda , you're right.

I'm afraid this is the only way to achieve what you want:

(P0 NEAR P2) OR (P0 NEAR P3) OR (P1 NEAR P2) OR (P1 NEAR P3)

Don't know the performance impact of a DLP rule like this.... you may check with support or PPSS.

PS: likes are appreciated.

Regards,

Òscar

This doesn't address the "NOT NEAR" though.

here is the real world use case. We have employees that like to communicate Zoom links with the password. If we just use any password detection DLP rule it will trigger on these. We don't want to trigger on if a password is present near a specific zoom URL (e.g. https://acme.zoom.us). 

Hello @nduda ,

you're right. I forgot the negation. You just need to add a NOT before. The mistake was easy to spot:

NOT ( (P0 NEAR P2) OR (P0 NEAR P3) OR (P1 NEAR P2) OR (P1 NEAR P3) )

If I was you I would invest a abit of time on researching the docs and testing carefully instead of just asking for the solution, copy/pasting and responding "does not work". I didn't give you the solution but the idea was right. You just did not analyze it enough to see it.

Being polite and thankful also helps to build community and encourages people to keep helping each other. I hope you understand.

Said that, I hope it helped.

Kind regards,

Òscar