Guides
ProductDeveloperPartnerPersonal

Add a Real Time Rule to the Data Loss Prevention Policy

There is only one data loss prevention policy. Rules are added to the policy to define what traffic to monitor (identities and destinations), the data classifications that require monitoring, and whether content should be blocked or only monitored.

Prerequisites

  • HTTPS Inspection must be enabled either on the Web Default Policy, or at least one web policy ruleset where the same identity is configured in a DLP rule. For example, if the identity "Network A" is configured for a DLP rule, it must also be configured for a web policy ruleset where HTTPS is enabled. For more information, see HTTPS Inspection.
  • Full Admin access to the Umbrella dashboard. See Manage User Roles.

Procedure

  1. Navigate to Policies > Management > Data Loss Prevention Policy, click Add Rule, and choose Real Time Rule.
2398
  1. Under Add New Real Time Rule, give your rule a meaningful name and description.
1009
  1. Choose a severity for your rule based on the risk involved or importance within the ruleset.
219
  1. Select where in uploaded files you would like this rule to search for the data classifications that you choose.
  • Content—(Default) Searches only the content of files for the selected data classifications.
  • File Name—Searches only file names for the selected data classifications.
  • Content and File Name—Searches content and file names for the selected data classifications. Both content and file name do not need to match for the rule to apply, only one or the other.

Note: Choosing Content, File Name, or Content and File Name refers to scanning file uploads for the selected data classifications and configured file labels.

  1. Select Data Classifications to apply this rule; you can choose a data classification of your own making, or a built-in data classification provided by Umbrella. (See Manage Data Classifications and Built-In Data Classification Templates.) Hover over PREVIEW to view data identifiers associated with each data classification.
2638
  1. Add up to 10 case-sensitive file labels to apply to this rule. The rule will search for any of the configured file labels in the value of the files' document properties. This includes Microsoft Office Document Properties, Microsoft Office Sensitivity Labels, and Adobe PDF Document Properties. File uploads to Confluence and Jira are not scanned for file labels.

Note: A DLP rule can be configured with either data classifications or file labels or both. When a DLP rule is configured with both, then a DLP event is raised when any of the selected data classifications and when any of the configured file labels are detected in the inspected file.

👍

Microsoft Sensitivity Labels

Umbrella currently supports detection of Microsoft sensitivity labels in the file properties’ values of the inspected file for Microsoft Word, Excel, PowerPoint, and .pdf files. Ensure you configure the rule with the sensitivity labels, not the Display Names.

  1. Select identities to apply to this rule.
899
  1. Under Destinations, select All Destinations or Select Destination Lists and Verified Applications for Inclusion.
  • All Destinations—Monitors all outbound web requests or blocks all file uploads that originate from the selected identities for this rule.
    When All Destinations is selected, you can select the type of data Umbrella monitors:
    • Choose File uploads and form data to monitor all uploaded files and forms data for all web destinations users visit.

      🚧

      Use care when choosing All Destinations File uploads and form data because it significantly widens the scope of the data the rule scans and can result in excessive false positives, blocking users' access to many sites inappropriately. We recommend that rules applied to all destinations not include built-in identifiers with lenient tolerances or custom identifiers with regexes that define a broad scope. Design regexes to narrowly identify the data you seek, and include threshold and proximity criteria.

    • Choose File uploads and form data of vetted apps only to monitor all uploaded files and forms data associated only with DLP Supported Applications.
  • Select Destination Lists and Applications for Inclusion—Monitors all web requests and blocks all file uploads matching the identities selected on the rule, the selected destination lists, and supported applications.
  • To add applications for inclusion, under Destinations expand Applications and check the boxes for the applications you want to add to the rule.
  • To add destination lists for inclusion, under Destinations expand Destination Lists and check the boxes for the destination lists you want to add to the rule.
  • To create a new destination list and add it for inclusion, under Destinations expand Destination Lists and click ADD NEW LIST. Under List Name enter a unique name for the list. For each URL/Domain to be in the list, enter a domain name, URL, IPV4 address or CIDR, and click Add. Click Save when done.
    Note: Adding a new destination list to the rule here automatically adds it for inclusion.
  1. Check the checkbox Select Destination Lists and Applications for Exclusion to select destinations and applications to exclude from this rule.
  • To exclude applications, under Destinations expand Applications and check the boxes for the applications you want to exclude from the rule.
  • To exclude destination lists, under Destinations expand Destination Lists and check the boxes for the destination lists you want to exclude from the rule.
  • To create a new destination list and exclude it, under Destinations expand Destination Lists and click ADD NEW LIST. Under List Name enter a unique name for the list. For each URL/Domain to be in the list, enter a domain name, URL, IPV4 address or CIDR, and click Add. Click Save when done.

Note: Adding a new destination list to the rule here automatically adds it for exclusion.

Note: When a destination list is selected for both inclusion and exclusion in a rule, it will automatically be excluded. Exclusion destination lists always override inclusion destination lists. Similarly, if a domain is included on an inclusion destination list and an exclusion destination list, the domain will be excluded.

  1. Under Action, from the drop-down list, choose Monitor or Block.
  • Monitor—Monitor file uploads and data submitted in web forms.
    The rule will search for content that matches supported workflows (See Supported Applications) and policy-configured destinations and identities.
  • Block—Block file uploads.
    The rule will search for content that matches supported workflows (See Supported Applications) and the policy-configured destinations and identities. When content matches these workflows, the rule blocks the content.
900

👍

Limited Availability

Umbrella can optionally block all password-protected files directed to destinations configured in the DLP rules. If enabled, this feature impacts all file types and all users and cannot be configured for finer granularity. This feature is not generally available; contact Umbrella Support to have it enabled in your account.

  1. Click Save.
    Note: All fields must have options selected to save.

Manage the Data Loss Prevention Policy < Add a Real Time Rule to the Data Loss Prevention Policy > Understand Exclusions in a Real Time Rule