Skip to main content
McAfee MVISION Cloud

Sanctioned DLP Policy Rules and Rule Groups

The policy's Rules section defines the match criteria for a policy violation. There are several different types of rules that can be combined using Boolean logic. Boolean logic is supported through Rule Groups. All rules in a group are logically combined with an AND operator.  All rules must match within the group. Multiple Rule Groups can be defined and are combined logically with an OR operator. This means any group within a policy must match the policy to be triggered.

IMPORTANT: MVISION Cloud does not support importing or exporting policies or policy templates that include more than 50 rule groups or that exceed 64 KB in size, whichever limit is reached earlier.

Rule Groups are assigned by Severity: Warning, Info, Low, Medium, or High. This allows you to conditionally execute different response actions based on the triggered Rule Group.

IMPORTANT: When you create DLP policy or add exceptions, if you add certain reserved SQL keywords, such as "Select", "Update", or "Delete", they appear with the first letter masked, as "#elect", "#pdate", or "#elete." This is a security feature of the GWT framework in Java. The workaround is to add the file name to a Policy Dictionary and add the dictionary as an exception rule.

There are several Rule types that can be added to a policy. They are described as follows. 

Evaluate Policy

Use the Evaluate Policy feature to upload a sample data file to quickly fine-tune your DLP policies as you build them to make sure they detect the correct incidents. For details, see Evaluate Policy

Classification

Classification rules allow you to categorize files based on their confidentiality and enforce security policies associated with that confidentiality level. This helps you protect sensitive information and encourage smarter user behavior when handling that content. 

Classifications for MVISION Cloud-based policies refer to the Classification tags that are part of the file metadata. These classifications are imported from cloud services and available for use with Azure Information Protection, Box, McAfee, and SharePoint. 

NOTE: Classifications for UCE-based policies refer to the DLP rules defined for all McAfee products. These Classifications are created and managed in on-premises ePO or in the Classification editor in MVISION Cloud. 

dlp_wizard_classification.png

For more information, see:

KNOWN ISSUE: If a space exists before or after the Box Classification name, the Classification will not tag the files. This issue will be fixed in an upcoming release. 

Collaboration

The Collaboration rule detects collaboration events in the service. When this rule is applied, it allows you to implement secure collaboration, and it controls how users share content.

Secure Collaboration

You can enable your users to collaborate and share content with individuals outside of your organization while controlling what kind of information can be shared. This allows you to act on file upload or updates to collaboration files if the files contain information that violates your content rules (such as medical information or credit card numbers). For more information, DLP Policy Response Actions.

dlp_wizard_collaboration.png

Sharing Collaboration Policies

The Sharing From option allows you to create Collaboration rules for files and folders or for shared links, depending on the Sharing To selections:

Sharing From

Sharing To

Implied Rule Type

Anyone

Anyone

Files or Folders

Anyone

Anyone with link

Shared Link

Anyone

Anyone in the organization

Shared Link

Anyone

Anyone on web

Shared Link

Anyone

Anyone in organization with link

Shared Link

(any other)

(any other)

Files or Folders

Collaboration for Files and Folders

You can share files or folders with external users using email, domain, or glob pattern. Based on the role, the different access levels can be provided to the collaborators. The DLP policy associated with file or folder Collaboration detects and removes public links on files and folders and promotes secure collaboration. For more details, refer to Collaboration Policies for Files and Folders.

Collaboration for Shared Links

You can create a link from any folder or file and share that link to external users. Based on the role, you can provide different access levels to the collaborators. The DLP Collaboration policy associated with shared links detects and removes sensitive information from files or folders associated with a shared link and stops the file from being shared. For more details, refer to Collaboration Policies for Shared Links.

The Collaboration rule allows you to define:

  • Sharing From
    • Anyone. Select to share from any user. 
    • Specific Users / Domains. Select to share from specific users or domains. 
      • Match Criteria
        • Match Any. Matches if any of the Collaborations matches with any of the patterns in the Dictionary or manually entered patterns.
        • Match All. Matches only if all the Collaborations match with any of the patterns in Dictionary or manually entered patterns.
      • Use a predefined dictionary. Select a predefined dictionary from the list. 
      • Manually enter users/domains. Click to enter users or domains manually in a comma-separated list. 
  • Sharing To
    • Anyone. 
      • Anyone. The collaboration rule is sharing files or folders to Anyone.
      • Anyone with link. Anyone who has the link can access it. No Sign-in required. 
      • Anyone on web. Anyone on the web can find and access it. No Sign-in required. 
      • Anyone in organization with link. Anyone at a specified company who has the link can access it. Sign-in required. 
      • Anyone in the organization. Anyone at a specified company can find and access it. Sign-in required. 
    • Specific Users / Domains. 
      • Match Criteria
        • Match Any. Matches if any of the file or folder Collaborations matches with any of the patterns in the Dictionary or manually entered patterns.
        • Match All. Matches only if all the file or folder Collaborations match with any of the patterns in Dictionary or manually entered patterns.
      • Use a predefined dictionary. Select a predefined dictionary from the list. 
      • Manually enter users/domains. Click to enter users or domains manually in a comma-separated list. 
  • Sharing Permission. Specifies the role of the recipient in the collaboration event:
    • Any 
    • Owner
    • Editor
    • Viewer

NOTE: The patterns in the Collaboration rules follow Glob Patterns.

The Manually enter users/domains option allows you to define a comma-separated list of domains or email addresses. They also support wildcard characters, as shown in the following table:

Manually enter users/domains

Matches

* or blank

Matches any domain or email.

acme.com

Matches any domain or email ending in acme.com (phil@acme.com) but not subdomains (phil@foo.acme.com).

*.acme.com

Matches any domain or email ending in acme.com (phil@acme.com) but not subdomains (phil@foo.acme.com).

acme.com.*

Matches against addition of a TLD like phil@acme.com.au.

*.acme.com.*

Matches phil@foo.bar.acme.com.au but not phil@acme.com.

 

Email Collaboration Policies

You can attach files or folders to the passive email and share them with external users. You can also respond inline with the external users and share files. The DLP policy associated with email collaboration detects and removes public links or sensitive content in the passive or inline email for secure collaboration.

dlp_wizard_collaboration_email.png

To create an email policy:

  • Email From
    • Anyone. Select to share emails from any user. 
    • Specific Users / Domains. Select to share from specific users. 
      • Match Criteria
        • Match Any. Matches if any of the Collaborations matches with any of the patterns in the Dictionary or manually entered patterns.
        • Match All. Matches only if all the Collaborations match with any of the patterns in Dictionary or manually entered patterns.
      • Use a predefined dictionary. Select a predefined dictionary from the list. 
      • Manually enter users/domains. Click to enter users or domains manually in a comma-separated list. 
  • Email To
    • Anyone. Select to share email to any user. 
    • Specific Users / Domains. Select to share from specific users. 
      • Match Criteria
        • Match Any. Matches if any of the Collaborations matches with any of the patterns in the Dictionary or manually entered patterns.
        • Match All. Matches only if all the Collaborations match with any of the patterns in Dictionary or manually entered patterns.
      • Use a predefined dictionary. Select a predefined dictionary from the list. 
      • Manually enter users/domains. Click to enter users or domains manually in a comma-separated list. 

​​Collaboration Known Behaviors

For details on Collaboration known behaviors, see SharePoint, OneDrive, and Office 365 Collaboration Known Behaviors

Data Identifier

For data identifier rules, you can select to use MVISION Cloud's predefined data identifier categories, or you can create custom data identifiers, all in one step of the wizard. 

Use a Predefined Category

Data Identifier predefined categories can be used to detect many common patterns such as Social Security Numbers, Credit Card Numbers, and others, and apply advanced validation to improve accuracy. (For example, it can validate the Luhn check for credit card numbers).

dlp_wizard_data_identifier.png

This rule allows you to define:

  • Data Identifier. Select Use a Predefined Category. 
  • Location. Specify if the match should be located in:
    • All
    • Email Subject and File Metadata
    • Email Subject, Body, Attachments, and File Content
  • Match Count. Specify the number of unique matches and perform additional keyword validation.
  • Exclude. Explicitly allow list specific Data Identifiers that should not trigger an incident. For instance, specific company-owned CCNs can be added to an allow list and excluded from the match when the policy is evaluated
  • Keyword Validation. Validates a predefined set of keywords. 
  • Keyword List. Select from McAfee default keywords or create a list of custom keywords of your own. 
    • McAfee Default. Select to use McAfee default keywords for your data identifier. 
    • Custom Only. Select to use custom keywords only. For custom keywords, you can use a predefined dictionary or manually enter keywords. The maximum number of custom keywords allowed is 10. 
    • McAfee Default and Custom List. Select to use both McAfee default keywords and custom keywords. The maximum number of custom keywords allowed is 10. 
  • Proximity Distance. Keyword validation looks for a predefined set of keywords within 200 characters (about 30-word) radius from a matched pattern.

For details about Data Identifier Definitions, validation, and McAfee default keywords, see Data Identifiers

Custom Data Identifier

Create a Custom Data Identifier to use using regular expressions, keyword validation, and proximity distance. You can use up to 5 regex rules. 

dlp_wizard_custom_data_identifier.png

To define your Custom Data Identifier, enter the following:

  • Name. Enter a name for your Custom Data Identifier
  • RegEx. Regular expression rules allow you to define a regular expression using Java syntax or define a unique match count. We strongly suggest that you use a tool like RegexBuddy to develop and test your regular expression before deploying your MVISION Cloud policy. (There is a limit of 5 regex rules.)
  • Location. Specify if the match should be located in:
    • All 
    • Email Subject and File Metadata
    • Email Subject, Body, Attachments, and File Content
  • Match Count. Specify the number of unique matches and perform additional keyword validation.
  • Exclude. Explicitly allow list specific Data Identifiers that should not trigger an incident. For instance, specific company-owned CCNs can be added to an allow list and excluded from the match when the policy is evaluated
  • Keyword Validation. Validates a predefined set of keywords. 
  • Keyword List. Select a predefined dictionary or manually enter a list of custom keywords. (Limit of 10 custom keywords.)
  • Proximity Distance. Keyword validation looks for a predefined set of keywords within 200 characters (about 30-word) radius from a matched pattern.
Boundary Validation in Custom Data Identifiers

Custom data identifiers do not support boundary validation. Boundary validation must be explicitly captured in the regex rule.

For example, \bREGEX\b captures boundaries such as line breaks, tabs, white spaces, and special characters. But, simply using regex will also show matches that are in the middle of a longer pattern (partial matches).

The match highlights reported for custom data identifier incidents match the pattern described exactly as specified, which means they include word boundaries if they are specified in the pattern. 

File Name

dlp_wizard_file_name.png

File Name rules allow you to:

  • Use a predefined dictionary and select from the list. 
  • Manually enter Select File Name and specify a comma-separated list of file names. The patterns in the File Name rules follow Glob Patterns (for example, *.doc).

File Path/Folder ID

dlp_wizard_file_path.png

File Path/Folder ID rules allow you to apply DLP policies only to files in a particular folder, or to exclude that folder from DLP policies.

This rule allows you to define:

  • Use a predefined dictionary and select from the list. 
  • Manually enter Select File Name and specify a comma-separated list of file paths or folder IDs. Standard "glob” operators are supported (for example, */legal/internal/* indicates files and folders in legal>>internal folder).

File Size

dlp_wizard_file_size.png

File Size rules allow you to specify a comparison operator (Greater than or Less than), value, and units (Bytes, KB, MB, or GB).

File Type

dlp_wizard_file_type.png

File Type rules use true binary signature detection for over 400 formats. Click Select File Type to search for and add file types. For more information, see Supported File Formats

Keywords

dlp_wizard_keyword.png

Keywords allow you to specify a comma-separated list of keywords. Clicking the edit icon allows you to create and edit the list. For details, see Using Keywords in DLP Policies

Regular Expression

dlp_wizard_regex.png

To create a Regular Expression rule, enter:

  • Regular Expression. Regular expression rules allow you to define a regular expression using Java syntax or define a unique match count. We strongly suggest that you use a tool like RegexBuddy to develop and test your regular expression before deploying your MVISION Cloud policy. For DLP support MVISION Cloud uses RE2 regex. We do not support negative lookahead and negative behind. For more information about RE2 syntax, see https://github.com/google/re2/wiki/Syntax.
  • Location. Specify if the match should be located in:
    • All
    • Email Subject and File Metadata
    • Email Subject, Body, Attachments, and File Content
  • Match Count. Specify the number of unique matches and perform additional keyword validation.

Structured Data Fingerprint

dlp_wizard_structured_fingerprint.png

Structured Data Fingerprints allow you to monitor your organization's structured data from databases (in CSV format), build fingerprints of that data on-premise, and prevent sensitive or confidential information from leaving the organization by creating compliance policies around it.

Select your Structured Data Fingerprint from the list, then configure the fields, count, and exceptions to match. 

Unstructured Data Fingerprint

dlp_wizard_unstructured_fingerprint.png

Unstructured Data Fingerprints allow you to monitor your organization's unstructured data, index that data on-premise, and prevent sensitive or confidential information from leaving the organization. Once you have created a fingerprint and your unstructured data is indexed, you can add a policy rule to use that indexed data.

Specify the minimum Percent Match Required against a file that was fingerprinted.