Using Gmail, you can save .eml files into a drop folder to make sure a policy will generate incidents as expected.
Note: The Drop folder only processes the email for detection. It will not actually send the email to the recipient.
Note: For the Drop folder to function, the 'Copy Rule' channel needs to be added to BoxMonitor.Channels in the Server Settings of the Detection Server.
Within the Symantec DLP Enforce UI (Administration -> Overview) you will notice that the processed messages increased by 1.
If an incident was created from the test email, it will have a timestamp from when the email was actually saved. You can sort the incident list by incident ID. Since the test email was one of the latest ones to trigger an incident, it should show up with one of the higher incident ID numbers.
If the email has a date/time specified within the email it will process the incident using that data/time. If no date/time is specified in the test email, then it will use the current date/time when the incident is actually processed (this would be the recommended approach for testing).
You can also use the following sample text to create a simple .eml file for testing purposes...
From: [email protected]
To: [email protected]
Subject: This is a keyword test
MIME-Version: 1.0
Content-Type: text/plain;
This test should detect on the following keywords…
- dlpkeyword
Symantec Test Email
The above email is a stripped down email that contains the minimum amount of data. In this case we are testing the keyword "dlpkeyword". Simply modify the above email as needed, then save it as a .eml file and drop it into the SMTP drop folder for processing.