Creating Detection Rules that Use Content Scanning

This topic is for ITM / Endpoint DLP rules only.

This topic provides an example of a Detection rule that uses content scanning.

You select the content you want to scan using Indicator/Detector Name. Indicator/Detector Name is an attribute of the Indicator entity and is derived from the Detector Set created in Data Classification application.

To see the Alerts, select the Data Security Workbench application and then from the side menu, select Alerts. (See Alerts.)

Creating a Rule that Detects Social Security Information

In this example, a rule is created that triggers an alert when a file contains Social Security information. This is a simple rule that shows you the basic steps required.

Before you set up the rule, make sure that you have set up your Agent Realm. From Administration > Endpoints > Agent Realm, edit the Agent Realm you are using. In the Advanced Settings:
Toggle on Enable Content Scanning.

• Select Social Security from the list of Detectors Sets.

• Select the relevant Scan Triggers

1. From Proofpoint Data Security & Posture, select the Administration app.

   Select Policies > Rules. From Detection Rule area, select New Rule.

2. Provide a Name .

3. For this example, from Select, select Select Field.

4. Select Detector from the Select Field list on the right-side.

5. Select Indicator/Detector Name from the list of values.

6. From the operations dropdown, select Contains.

7. Click Select Values and from the Detector Name list, select Social Security Number Click Done.

   

8. Define what happens in the Actions area as described in Detection Rules.

---

Related Topics: