There are 2 types of rules:
ITM / Endpoint DLP Detection Rules are used to trigger alerts. You can define the severity of the alert and configure notifications to be sent when an alert is triggered.
Prevention Rules are used to block harmful users or action by preventing file exfiltration to USB or Cloud Sync folder. You can define lists of permitted and prevented values for users, files extensions and devices.
Configuring the Explorations allows you to learn how users in your organization move data. When you have a better understanding of what behavior is strictly against policy you are ready to configure alert rules.
Alerts are intended to notify you of behavior that has high likelihood to be either against policy, or to be malicious or negligent.
The rule of thumb is to configure alerts for any behaviors against policy that would generate alerts in single digits in a day. For anything over – when a rule generates dozens, hundreds, or thousands of events – use Explorations.
For more, Quick-Reference Guides, see ITM / Endpoint DLP Onboarding.