What is the difference between putting policy group conditions on the detection tab verses the groups tab?
Article ID: 163609
Updated On:
Products
Issue/Introduction
It is recommended that Sender/Recipient/Group based policies and exceptions be placed in the Groups tab within the policy whenever possible.
Cause
Group rules act as a filter before executing the detection/content rules. This fails if the Group rules are configured in the Detection tab (and some content rules get executed before identity rules).
Resolution
Detection and Group rules split between their respective tabs have an implicit AND connection (with the Group rules getting evaluated first).
Detection and Group conditions defined in the detection tab have an implicit OR connection (but both are required for incident creation).
This allows a single Group rule to be AND'd with every detection rule rather than having to be duplicated for every detection rule combination.
Trace logs when sender rule is in the Group tab:
Detection Result:
- Policy: testSender (ID:58) <no incident>
- Condition: grp1 (DIRECTORY_GROUP,ID=1019) <no matches>
- Condition: KW1 (KEYWORD,ID=1014) <not executed>
- Condition: KW1 (PROTOCOLTYPE,ID=1017) <not executed>
- Condition: [data_in_motion] (CHANNEL,ID=-10) <not executed>
Trace logs when sender rule is in the Detection tab:
Detection Result:
- Policy: testSender (ID:58) <no incident>
- Condition: KW1 (KEYWORD,ID=1014) <not executed>
- Condition: KW1 (PROTOCOLTYPE,ID=1017) 1 match
- Component ID=-1: <no match>
- Component ID=40: 1 match
- Component ID=41: <no match>
- Condition: KW1 (DIRECTORY_GROUP,ID=1018) <no matches>
- Condition: [data_in_motion] (CHANNEL,ID=-10) <not executed>
As indicated by the logs shown here the policy where the user patterns were added to the Group tab runs more efficiently.
Feedback
