Skip to main content
McAfee MVISION Cloud

DLP Policy Rules and Rule Groups

The policy's Rules section defines the response criteria for an anomaly. There are several different types of rules that can be combined using Boolean logic. Boolean logic is supported through Rule Groups. All rules in a group are logically combined with an AND operator.  All rules must match within the group. Multiple Rule Groups can be defined and are combined logically with an OR operator. This means any group within a policy must match the policy to be triggered.

IMPORTANT: MVISION Cloud does not support importing or exporting policies or policy templates that include more than 50 rule groups or that exceed 64 KB in size, whichever limit is reached earlier.

dlp_policy_rules_3.9.1.png

 Rule Groups are assigned by Severity - Low, Medium, or High. This allows you to conditionally execute different response actions based on the triggered Rule Group.

IMPORTANT: When you create DLP policy or exceptions, if you add certain reserved SQL keywords, such as "Select", "Update", or "Delete", they appear with the first letter masked, as "#elect", "#pdate", or "#elete." This is a security feature of the GWT framework in Java. The workaround is to add the file name to a Policy Dictionary and add the dictionary as an exception rule.

There are several Rule types that can be added to a policy. They are described as follows. 

Classification

Classifications allow you to categorize files based on their confidentiality and enforce security policies associated with that confidentiality level. This helps you protect sensitive information and encourage smarter user behavior when handling that content. Currently, classifications are available for use with Box and McAfee. 

dlp_policy_classification.png

For more information, see:

KNOWN ISSUE: If a space exists before or after the Box Classification name, the Classification will not tag the files. This issue will be fixed in an upcoming release. 

Collaboration

The Collaboration rule detects collaboration events in the service. When this rule is applied along with the Modify permissions or Remove Shared Link response action, it allows you to implement secure collaboration, and it controls how users share content.

NOTE: The patterns in the Collaboration rules follow Glob Patterns.

The From and To fields allow you to define a comma-separated list of domains or email addresses. The From field specifies who initiated the collaboration and the To field specifies the recipients or Groups. You can share collaborations with required User Groups in the To field. User Groups allow you to apply DLP and Secure Collaboration policies to add specific groups of users within your organization. 

The Role specifies the role of the recipient in the collaboration event: Any, Owner, Editor, or Viewer. 

clipboard_e69a40601a807265bb396ae5588ad5452.png

The Match Any/Match All rules work differently for collaborations than they do for keywords:

  • Match Any (Default): Matches if any of the file/folder Collaborations matches with any of the patterns in the Dictionary or manually entered patterns.
  • Match All: Matches only if all the file/folder Collaborations match with any of the patterns in Dictionary or manually entered patterns.

The From and To fields also support wildcard characters, as shown in the following table:

To or From Input

Matches

* or blank

Matches any domain or email.

acme.com

Matches any domain or email ending in acme.com (phil@acme.com) but not subdomains (phil@foo.acme.com).

*.acme.com

Matches any domain or email ending in acme.com (phil@acme.com) but not subdomains (phil@foo.acme.com).

acme.com.*

Matches against addition of a TLD like phil@acme.com.au.

*.acme.com.*

Matches phil@foo.bar.acme.com.au but not phil@acme.com.

Secure Collaboration

You can enable your users to use collaboration features to share content with individuals outside of your organization while controlling what kind of information can be shared. This allows you to act on file upload or updates to collaboration files if the files contain information that violates your content rules (such as medical information or credit card numbers.) Content-aware secure collaboration supports quarantine, delete, and email notification as response actions, but will not remove or modify a collaboration. For more information, DLP Policy Response Actions.

Collaboration Rule Types

There are three collaboration rule types in DLP Policies:

  1. Folder / File Collaboration. You can share files or folders with external users using email, domain, or glob pattern. Based on the role, the different access levels can be provided to the collaborators. The DLP policy associated with folder/ file collaboration detects and removes public links on files and folders and promotes secure collaboration. For more details, refer to File / Folder Collaboration Policies.
    This rule type provides an option to configure File Path or Folder ID. This option is applicable only for Box application users. For details see, Configure File Path or Folder ID Collaboration Policies.
  2. Shared Link. You can create a link from any folder or file and share that link to the external users. Based on the role, the different access levels can be provided to the collaborators. The DLP policy associated with shared link collaboration detects and removes sensitive information from file or folder associated with a shared link and stops the file from being shared. For more details, refer to Shared Link Collaboration Policies.
  3. Email. You can attach files or folders to the passive email and share it with external users. You can also respond inline with the external users and share files. The DLP policy associated with email collaboration detects and removes public links or sensitive content in the passive or inline email for secure collaboration.

Email Collaboration Policies

There are two ways to handle responses for Email: Quarantine/Delete and Add Email Header.

To create an email policy:

  1. From the Collaboration menu, select Email.
  2. Add any option keywords or data identifiers.
  3. Choose one of the following:
    • Quarantine or Delete to enact the policy when a sensitive file is shared with emails that match policy, or when a previously shared file is updated with sensitive content.
      clipboard_e413b71bc41d65fbdd80c8cd5d4b3d672.png
    • Add Email Header to enact the policy when a sensitive file is shared with inline emails that match the policy. For the inline email collaboration, you should add Header and Value. The value provided should be simple text, and you can enter any desired value. The response action adds these headers to the email in addition to the standard headers such as To, From, and Subject. The value is appended with the existing key value of the DLP policy and the sensitive details in inline email are taken care of for the secure collaboration.
      clipboard_e74bd7f6a4c51a088ff0b880d49118067.png

​​Collaboration Known Behaviors

For details on Collaboration known behaviors, see SharePoint, OneDrive, and Office 365 Collaboration Known Behaviors

Custom Data Identifiercustom_data_identifier.png

Create your own custom data identifiers using regular expressions, keyword validation, and proximity distance. You can use up to 5 regex rules. 

  • Name. Enter a name for your Custom Data Identifier
  • RegEx. Regular expression rules allow you to define a regular expression using Java syntax or define a unique match count. We strongly suggest that you use a tool like RegexBuddy to develop and test your regular expression before deploying your MVISION Cloud policy. (There is a limit of 5 regex rules.)
  • Location. Specify if the match should be located in:
    • Email Subject, Body, Attachments, and File Content
    • Email Subject and File Metadata
    • All
  • Match Count. Specify the number of unique matches and perform additional keyword validation.
  • Keyword Validation. Validates a predefined set of keywords. 
  • Keyword List. Select a predefined dictionary or manually enter a list of custom keywords. (Limit of 10 custom keywords.)
  • Proximity Distance. Keyword validation looks for a predefined set of keywords within 200 characters (about 30-word) radius from a matched pattern.
  • Exclude. Explicitly whitelist specific Data Identifiers that should not trigger an incident. For instance, specific company-owned CCNs can be whitelisted and excluded from the match when the policy is evaluated

Boundary Validation in Custom Data Identifiers

Custom data identifiers do not support boundary validation. Boundary validation must be explicitly captured in the regex rule.

For example, \bREGEX\b captures boundaries such as line breaks, tabs, white spaces, and special characters.

But, simply using regex will also show matches that are in the middle of a longer pattern (partial matches).

The match highlights reported for custom data identifier incidents match the pattern described exactly as specified, which means they include word boundaries if they are specified in the pattern. 

Data Identifier

Data Identifier rules can be used to detect many predefined patterns such as Social Security Numbers, Credit Card Numbers, and others, and apply advanced validation to improve accuracy. (For example, it can validate the Luhn check for credit card numbers).

rule_data_identifier_4.0.2.png

This rule also allows you to define:

  • Data Identifier. Select the category and data identifier you need to match. 
  • Location. Specify if the match should be located in:
    • Email Subject, Body, Attachments, and File Content
    • Email Subject and File Metadata
    • All
  • Match Count. Specify the number of unique matches and perform additional keyword validation.
  • Keyword Validation. Validates a predefined set of keywords. 
  • Keyword List. Select from McAfee default keywords or create a list of custom keywords of your own. 
    • McAfee Default. Select to use McAfee default keywords for your data identifier. 
    • Custom Only. Select to use custom keywords only. For custom keywords, you can use a predefined dictionary or manually enter keywords. The maximum number of custom keywords allowed is 10. 
    • McAfee Default and Custom List. Select to use both McAfee default keywords and custom keywords. The maximum number of custom keywords allowed is 10. 
      default_and_custom_keyword_4.1.png
  • Proximity Distance. Keyword validation looks for a predefined set of keywords within 200 characters (about 30-word) radius from a matched pattern.
  • Exclude. Explicitly whitelist specific Data Identifiers that should not trigger an incident. For instance, specific company-owned CCNs can be whitelisted and excluded from the match when the policy is evaluated

data_identifier_definitions_categories.png

Data Identifiers are available in the following categories:

  • North American Personal Identity
  • U.S. Driver's License Number
  • Financial
  • Healthcare
  • European Personal Identity
  • Asia Pacific Personal Identity
  • Information Technology
  • Cryptocurrency
  • African Personal Identity
  • Middle Eastern Personal Identity
  • Miscellaneous

For details about Data Identifier Definitions, validation, and McAfee default keywords, see Data Identifiers

File Name

dlp_policy_file_name_3.9.1.png

File Name rules allow you to specify a comma-separated list of file names. Clicking the edit icon allows you to create and edit the list. Standard "glob” operators are supported (for example, *.doc). For more details about file name rules, see: http://pubs.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html#tag_02_13_03

File Path

dlp_policy_file_path_3.9.1.png

File Path rule allows you to apply DLP policies only to files in a particular folder, or to exclude that folder from DLP policies. You can specify a comma-separated list of file paths. Standard "glob” operators are supported (for example, */legal/internal/* indicates files and folders in legal>>internal folder).

File Size

dlp_policy_file_size_3.9.1.png

File Size rules allow you to specify a comparison operator (Greater than, Less than, and Equals), value, and units (Bytes, KB, MB, and GB).

File Type

dlp_policy_file_type_3.9.1.png

File Type rules use true binary signature detection for over 400 formats. Click the edit icon to add types, and navigate the available types by category using the drop-down selection. For more information, see Supported File Formats

Keywords

Keywords allow you to specify a comma-separated list of keywords. Clicking the edit icon allows you to create and edit the list. For details, see Using Keywords in DLP Policies

Regular Expression

dlp_policy_regex_3.9.1.png

Regular expression rules allow you to define a regular expression using Java syntax or define a unique match count. We strongly suggest that you use a tool like RegexBuddy to develop and test your regular expression before deploying your MVISION Cloud policy.

For DLP support MVISION Cloud uses RE2 regex. We do not support negative lookahead and negative behind. 

For more information about RE2 syntax, see https://github.com/google/re2/wiki/Syntax.

Structured Data Fingerprint

Structured Data Fingerprints allow you to monitor your organization's structured data from databases (in CSV format), build fingerprints of that data on-premise, and prevent sensitive or confidential information from leaving the organization by creating compliance policies around it.

Select your Structured Data Fingerprint from the list, then configure the fields, count, and exceptions to match. 

Unstructured Data Fingerprint

Unstructured Data Fingerprints allow you to monitor your organization's unstructured data, index that data on-premise, and prevent sensitive or confidential information from leaving the organization. Once you have created a fingerprint and your unstructured data is indexed, you can add a policy rule to use that indexed data.

Specify the minimum Percent Match Required against a file that was fingerprinted.