Severity of an incident set by number of matches by policy not by rule
Last Updated December 16, 2016
Severity of an incident is being set based on the total number of matches for a policy, instead of total number of matches for a rule.
The root cause appears to be part of the design of applying severities, Symantec DLP only creates and operates a single incident per policy. Enhancement PM-760 has been filed for the observed behavior.
As reference see the DLP Administration Guide: The system supports fine-grained policy development. Each detection rule within a policy is assigned a severity level. The detection engine determines the overall severity of an incident by the highest severity rule triggered. You can apply a detection rule to a specific message component, such as the header, body, or attachments.
At this point, the only real workaround we could propose would be to create separate policies for the various severities. In that way, their process could be to track all incidents but only react to high severity ones.
If in case you want to set severity level of incident based on overall match count, you can try below work around.
I>. Keep default severity level in all rules as Info II>. Add Severity conditions in each rule shown in attached figure. For example Set severity to Info if when match count is greater than or equals 3 Set severity to Low if when match count is greater than or equals 6 Set severity to Medium if when match count is greater than or equals 9 Set severity to High if when match count is greater than or equals 12
Imported Document ID: TECH222091
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe