AND Operator Value in DLP Rules

I am trying to determine when a DLP Rule needs to leverage the NEAR operator versus the AND operator. In one example incident, a DLP Rule defined as (P1 NEAR P2) appears to have been triggered when the two entities were over 10,000 characters apart.

What is the default value of the AND operator, is it truly more than 10,000 characters?

Page 1 / 1

As per my experience there is no proximity value with AND operator. It will scan and detect terms or number in specific Document.

Proximity works only with Near Operator only

@Sakee,

AND has no proximity limit as @deepakk mentioned. It will match if the two entities specified with the AND operator are present in the object being scanned (document, message, email, edited text, etc). The AND operator should be used when both entities need to be matched regardless of proximity. NEAR has a customizable proximity and should be used to match entities when they are expected to be near one another or to reduce false positives. Proximity often indicates a higher likelihood that the entities are a true positive.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded