Detection Rules: Detect user activities and system events. Detection rules let you raise alerts, fire notifications or tag activities. You can define the severity of the alert and configure notifications to be sent when an alert is triggered. (See Detection Rules.)
Prevention Rules: Policies for stopping data exfiltration. Depending on the activity, you can select to block or prompt for justification. Allow is also supported for Upload Files to the Web. (See ITM / Endpoint DLP Prevention Rules.)
Endpoint Rules: Support Apply On-Demand policies and Retain Files rules. (See Endpoint Rules.)
Configuring the Explorations allows you to learn how users in your organization move data. When you have a better understanding of what behavior is strictly against policy you are ready to configure alert rules.
Alerts are intended to notify you of behavior that has high likelihood to be either against policy, or to be malicious or negligent.
The rule of thumb is to configure alerts for any behaviors against policy that would generate alerts in single digits in a day. For anything over – when a rule generates dozens, hundreds, or thousands of events – use Explorations.
For more, Quick-Reference Guides, see ITM / Endpoint DLP Onboarding.