Skip to main content
McAfee Enterprise MVISION Cloud

Keywords in Sanctioned DLP Policies

In DLP policies, keywords allow you to specify search terms or expressions that are compared to words in files.

For information about using custom keywords with Data Identifiers, see DLP Policy Rules and Rule Groups

Keyword-based Search

To use keyword-based searches, you can enter keywords in a DLP policy. MVISION Cloud then matches documents that contain the keywords. You can set a policy to search on just a word, or on a phrase. (Make sure to put a phrase within "quotation marks".) 

You can also set a proximity match, which allows you to define how many words can separate keywords and still trigger a match. If two keywords are found within the number of words (set with ~n where n is the number of words), it's a match. 

When the Keyword box is activated, the rule also looks for one of the keywords within 200 characters (about 30 words) before and after the identified data as another validation to reduce false positives. 

As of the MVISION Cloud 3.9 release, the keyword proximity is variable and can be between 1 and 10000 characters. You can specify this value through the custom Proximity Distance value when keyword validation is enabled.  Existing policies are fixed at 200 characters; but, when you create a policy as of release 3.9, you can specify a variable proximity value between 1 and 10000. 

Keyword 2 is used as a secondary set of keywords as an AND condition, where keywords from both lists must be present. 

For example, say a document contains the following sentence:

This company confidential document was written in San Francisco and contains secret details.

The following table includes examples of how keyword-based searches in a DLP policy would work on the example sentence. 

Query Result Notes
Secret Match Keyword-based searches are case insensitive.
cisco No Match "cisco" is not seen as an exact match to "San Francisco".
secret info Match The query tells MVISION Cloud to find documents that contain either "secret" or "info," and because the document contains "secret", it is a match.
"secret details" Match This is an exact phrase match. To define a phrase query, put the terms inside quotation marks to match exactly, including the quotes. For example, "secret details" matches "secret details" including quotes, but not secret details without quotes. 
"document secret”~10 Match The proximity defined at ~10 means the policy matches if the words in the phrase are found within 10 words of each other. Because it is a phrase, both words must be found.
"company secret"~3 No match The proximity, defined as ~3, means that there are too many words between "company" and "secret" for this to be identified as a match. 

Create a Sanctioned DLP Policy for Keywords

To add a keyword to a DLP policy:

  1. Choose Policy > DLP Policies.
  2. Click Actions > Sanctioned Policy > Create New Policy to create a policy. (See Create a DLP Policy from a Template for information about templates.)
    dlp_wizard_keyword_name.png
  3. Name. Enter a descriptive name to identify the policy from the policy selection screen in later steps.
  4. Description. Enter an optional description. 
  5. Deployment Type. Select an integration method: API, Lightning Link, or Reverse Proxy. Some user actions and response actions depend on the Type you choose.
  6. Services. Click Select Service Instances and select your instance from the list. Click Done
  7. Users. Select the users to apply the policy to. 
    • All Users. Click to apply the policy to all users. 
    • Use a predefined dictionary. Click to select a predefined dictionary from the menu. 
    • Manually enter users. Click to manually enter user emails using a comma to separate items. There is a limit of 1,000 characters. 
  8. Click Save
  9. Add Exclusions. Click to add users to exclude from the policy, if needed. 
    • None. 
    • Use a predefined dictionary. Click to select a predefined dictionary from the menu. 
    • Manually enter users. Click to manually enter user emails using a comma to separate items. There is a limit of 1,000 characters. 
  10. User Groups. If your tenant has User Data (Active Directory) configured, click Edit to select the User Groups to include in the policy. 
  11. Click Done
  12. Add Exclusions. Click to add user groups to exclude from the policy, if needed. Select user groups from the list and click Done
  13. Click Done
  14. Click Next
    dlp_wizard_keyword_rules.png
  15. For Rules choose Keywords. Select one of the following options:
    • Use a predefined dictionary. Choose it from the Select a Dictionary list.
    • Manually enter Select Keywords. Enter keywords in a comma-separated list. 
  16. Click Done
  17. Match Criteria
    • Match Any. Creates a match when any keyword is found in a file.
    • Match All. This means a match is created only when all keywords are found in a file.
  18. Match Count. Specify the number of unique matches and perform additional keyword validation.
  19. Case Sensitive: Select No or Yes to consider case sensitivity. 
  20. Match Special Characters. When this option is set to Yes, then the keywords in the dictionary are matched exactly, as is. If keywords are enclosed in quotes, a match occurs only if the document includes that keyword enclosed in quotes too. We recommend that you don't enclose keywords in quotes when this option is selected, unless you are trying to match exactly (quotes included).
    • If Yes is selected, only the exact special characters trigger a match, including quotation marks.
    • If No is selected, any special character triggers a match.
    • For Example, when matching "M&A":
      • Yes. Only "M&A" (including quotes) triggers a match.
      • No. M&A, M-A, and M#A all trigger a match.
  21. Location. Specify if the match should be located in:
    • All
    • Email Subject and File Metadata
    • Email Subject, Body, Attachments, and File Content
  22. Click AND to add another rule, if needed. 
  23. Click THEN to add a severity: Critical, Major, Minor, Warning, or Info. 
  24. Click New Rule Group to add more, if needed. 
  25. Click Add Exception. Add one or more exceptions, if needed. A DLP policy ignores any exception group within the policy. An exception group is ignored when ALL exceptions within the group match.
  26. Click Add Exception Group to add more. 
  27. Click Next
    dlp_wizard_keyword_responses.png
  28. Response.  Select one or more response actions that are triggered when the policy rules are matched. By default, all DLP policies create an incident.
  29. Click Done.
  30. Click Next
  31. Click Save
    dlp_wizard_keyword_example_2.png

Keyword Validation for UK Driving License

For UK driving license data identifiers, there are two list of keywords: the Country Specific Keywords list, and the Identifier Specific Keywords list. When keyword validation is enabled, to reduce false positives, you must use one keyword from each list. For details, see European Personal Identity

  • Was this article helpful?