Skip to main content
  • EN

I have a Real Time Protection DLP rule that is blocking uploads to unauthorized cloud storage sites. This rule hit when a user uploaded an invoice to a platform we use, Divvy. Divvy's storage is backed by S3. As such, the event shows that there was an Upload action on S3, with the referrer being https://app.divvy.co.

 

As this platform is trusted and will be in frequent use, I want to whitelist these actions. As such, I:

  • created a HTTP Header policy, designating that I want to check the Referrer header, and set the value to https://app.divvy.co
  • created a RTP policy above the the existing DLP policy that is blocking (well, alerting the user on) the upload. The policy allows Upload to S3 if the referrer matches the one I created above.
    NOTE: The Allow policy, while above the Block policy, is in a different policy group. I don't think this matters, but figured it was worth stating.

 

Of course - you know where this is going. The action continues to be alerted on, despite the explicit allow. I have added screenshots to demonstrate the policies, placement, and alert. Any guidance is helpful, as it seems to me this should be working, so I am left thinking I have a fundamental misunderstanding of how the policies function.

Did you ever get this sorted out? 

 

Appears to be setup correctly in policy.

Always rem you have to put in the “exact” URL the way it shows in the referer.

Exact: https://app.divvy.co/  

May try regex as well if needed … https://app.divvy.co/.*

Look to make sure no further referer’s are showing etc. 

The policy you have created should apply as the the HTTP Header looks good, Policy ordering is good, and policy setup is good. If this is still persisting I would recommend opening a support ticket to investigate what is happening.

Reply


Terms & ConditionsCookie settings