cancel
Showing results for 
Search instead for 
Did you mean: 

DLP Rule Processing

gian202b
Partner
Partner

How does Netskope process DLP Rules?

 

I have a few different DLP Policies in place (ie. GLBA / Financial / PII / CCPA - in that order specifically and all Allow rules) - I know there is overlap in terms of what these rules look for. 

 

The question is, if a document matches the GLBA rule, will it still process the subsequent DLP rules?

 

Furthermore, if a document contains both US Bank Account and a SSN, will the document report both hits? Or just 1?

1 ACCEPTED SOLUTION
jason
Moderator
Moderator

I'm guessing you mean inline and not API based policies (API everything is evaluated). If the DLP policies are in separate Real-Time Protection policies, then it will fire on the first match and exit (top-down). There is a new feature that can be turned on, in the backend, called "Alert and Continue" that will allow you to process multiple policies until a block is triggered. In general, if you have multiple DLP policies in a single RTP policy, then all of them will be evaluated, but only the most restrictive action will trigger.

As for you second question, it depends on how the DLP rule is configured. If both are part of the rule, then both will hit. Entities inside of a rule are AND'd. Rules inside of a Policy are OR'd. Unless you are mixing Financial and PII entities in a custom rule, US Bank Account numbers and SSN will not fire together.

 

In the screenshot, INTL-PAN-Exp-Address must all have hits together to fire that rule. The other rules are variations, but all data in the rule must hit for a match.

Screen Shot 2022-10-17 at 3.23.09 PM.png

Regards,
Jason Sheffield
SE Ops
North America
jason@netskope.com

View solution in original post

1 REPLY 1
jason
Moderator
Moderator

I'm guessing you mean inline and not API based policies (API everything is evaluated). If the DLP policies are in separate Real-Time Protection policies, then it will fire on the first match and exit (top-down). There is a new feature that can be turned on, in the backend, called "Alert and Continue" that will allow you to process multiple policies until a block is triggered. In general, if you have multiple DLP policies in a single RTP policy, then all of them will be evaluated, but only the most restrictive action will trigger.

As for you second question, it depends on how the DLP rule is configured. If both are part of the rule, then both will hit. Entities inside of a rule are AND'd. Rules inside of a Policy are OR'd. Unless you are mixing Financial and PII entities in a custom rule, US Bank Account numbers and SSN will not fire together.

 

In the screenshot, INTL-PAN-Exp-Address must all have hits together to fire that rule. The other rules are variations, but all data in the rule must hit for a match.

Screen Shot 2022-10-17 at 3.23.09 PM.png

Regards,
Jason Sheffield
SE Ops
North America
jason@netskope.com