Solved

DLP Rule Processing

  • 13 October 2022
  • 1 reply
  • 49 views

Badge +6

How does Netskope process DLP Rules?

 

I have a few different DLP Policies in place (ie. GLBA / Financial / PII / CCPA - in that order specifically and all Allow rules) - I know there is overlap in terms of what these rules look for. 

 

The question is, if a document matches the GLBA rule, will it still process the subsequent DLP rules?

 

Furthermore, if a document contains both US Bank Account and a SSN, will the document report both hits? Or just 1?

icon

Best answer by jason 17 October 2022, 22:28

View original

1 reply

Badge +11

I'm guessing you mean inline and not API based policies (API everything is evaluated). If the DLP policies are in separate Real-Time Protection policies, then it will fire on the first match and exit (top-down). There is a new feature that can be turned on, in the backend, called "Alert and Continue" that will allow you to process multiple policies until a block is triggered. In general, if you have multiple DLP policies in a single RTP policy, then all of them will be evaluated, but only the most restrictive action will trigger.

As for you second question, it depends on how the DLP rule is configured. If both are part of the rule, then both will hit. Entities inside of a rule are AND'd. Rules inside of a Policy are OR'd. Unless you are mixing Financial and PII entities in a custom rule, US Bank Account numbers and SSN will not fire together.

 

In the screenshot, INTL-PAN-Exp-Address must all have hits together to fire that rule. The other rules are variations, but all data in the rule must hit for a match.

Reply