I have a Real Time Protection DLP rule that is blocking uploads to unauthorized cloud storage sites. This rule hit when a user uploaded an invoice to a platform we use, Divvy. Divvy's storage is backed by S3. As such, the event shows that there was an Upload action on S3, with the referrer being https://app.divvy.co.
As this platform is trusted and will be in frequent use, I want to whitelist these actions. As such, I:
created a HTTP Header policy, designating that I want to check the Referrer header, and set the value to https://app.divvy.co
created a RTP policy above the the existing DLP policy that is blocking (well, alerting the user on) the upload. The policy allows Upload to S3 if the referrer matches the one I created above. NOTE: The Allow policy, while above the Block policy, is in a different policy group. I don't think this matters, but figured it was worth stating.
Of course - you know where this is going. The action continues to be alerted on, despite the explicit allow. I have added screenshots to demonstrate the policies, placement, and alert. Any guidance is helpful, as it seems to me this should be working, so I am left thinking I have a fundamental misunderstanding of how the policies function.