DLP system data identifiers miss detections
search cancel

DLP system data identifiers miss detections

book

Article ID: 174449

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Enforce

Issue/Introduction

Symantec Data Loss Prevention (DLP)
Data Identifiers (DI)

Some sensitive data is not detected when you use the built-in DLP DIs.

Environment

Windows or MacOS

Resolution

Symantec provides many data identifiers (DI) with DLP.

Rule Breadth

Each DI can have one of three levels: Wide, Medium, Narrow

If you use Narrow, you can miss some incidents because it is very strict. Try switching to Medium or Wide then test to make sure that you don't get too many false policies. Also, verify that there is a keyword in the content if using Narrow.

If you use Medium and still miss too many incidents, switch to Wide. Again, test to make sure that you don't get too many false positives.

Apply Policy to a Configuration

Create a policy and apply that policy to the configuration that contains the endpoints you want to monitor.

Verify if the content matches the 'Match Counting' options in the data identifier rule. Try selecting 'Count all matches' if there are duplicates in the content.

See if the DI has been edited

If the DI has been edited, it is possible it no longer works as intended. You can check with support to have them review the DI to see if it is still as Symantec intended.