We can configure DLP policy so that it doesn't monitor the emails that send to the internal users.
Think about such scenario: the confidential docs can be send to the internal users for reviewing, but, these docs cannot be send to the outside of the company, or, should be encrypted before hand out.
Here are the steps:
1. Open a existing policy that should not create incident for internal users.
2. Under 'Detection' tab, click 'Add Exception' button:
3. Select 'Protocol or Endpoint Monitoring' under 'Protocol':
4. Choose 'Email/SMTP' under 'Protocol', on the 'Also Match' list, choose 'Recipient Matches Pattern':
5. Under 'Matches Pattern' section, in the 'Recipient Pattern' box, input the name of the internal email domain:
Note: there should be an '@' added before the domain name.
6. Finally, the policy should be look like this:
Internal recipient exception is just one think, is it possible to add a combination of the internal email recipients and a trusted external partners?
Like @company.domain + @trusted.partner.domain - to not generate incident.But if in the recipients it has at least one "un-trusted" it has been reported?
AdeT..
Confidential is the worst Policy to ever use.. you cannot just look for the word confidential. It will never be acurate.
You need to be more specific and look for other words.
Even if you put an exception to the footer, you will not capture Events that are real. You need to be more specific with your policy.. the word 'Confidential" is NOT going to work.
Your policies should be based on data types and other words. SSN + Words etc.
Good Luck
Ronak
PLEASE MARKED SOLVED WHEN POSSIBLE
Hi Guys,
I have a similar dilemma - we have a policy that states that all confidential emials be alerted.
the problem we have is that on some of the signatures of our external partners - they contain the word CONFIDENTIAL in their footnote and this is generating a lot of False Positives.
What is my best option to reduce thes False Positivs - do I just include an exception and include all of the email addresses with such word in their footnote/signature?
Thanks for you help
Hi,
Is there a way to ensure the internal recipient is a valid email account, not a dormant or even fail internal email address?
@emil.dutsov
Even if "better to request ALL recipient to be in @internal.com domain. (checking right box in "recipient matches pattern" rules)." as @stephane.fichet said?
Just a note: Keep in mind that in that way emails sent to external domain/company and having even one internal reciepent will not be scanned at all. For exapmle: important document sent to external counterpart with internal team member in cc.
hi.
i want to know, when it comes to automated report.
once the report schedule,but there is no report through the specific user. SHARED/PRIVATE report???
question, why do I need to out @before domain name...
Thanks
Mohammed Mazher
good example to use the DLP policy.
take care that with this policy if i send an email to myself (using my internal email address) and a gmail account, you wont raise any incident.
better to request ALL recipient to be in @internal.com domain. (checking right box in "recipient matches pattern" rules).