There is only one data loss prevention policy. Rules are added to the policy to define what traffic to monitor (identities and destinations), the data classifications that require monitoring, and whether content should be blocked or only monitored.
Prerequisites
- HTTPS Inspection must be enabled either on the Web Default Policy, or at least one web policy ruleset where the same identity is configured in a DLP rule. For example, if the identity "Network A" is configured for a DLP rule, it must also be configured for a web policy ruleset where HTTPS is enabled. For more information, see HTTPS Inspection.
- Full Admin access to the Umbrella dashboard. See Manage User Roles.
Procedure
- Navigate to Policies > Management > Data Loss Prevention Policy, click Add Rule, and choose Real Time Rule.
- Under Add New Real Time Rule, give your rule a meaningful name and description.
- Choose a severity for your rule based on the risk involved or importance within the ruleset.
- Select where in uploaded files you would like this rule to search for the data classifications that you choose.
- Content—(Default) Searches only the content of files for the selected data classifications.
- File Name—Searches only file names for the selected data classifications.
- Content and File Name—Searches content and file names for the selected data classifications. Both content and file name do not need to match for the rule to apply, only one or the other.
Note: Choosing Content, File Name, or Content and File Name refers to scanning file uploads for the selected data classifications and configured file labels.
- Select Data Classifications to apply this rule; you can choose a data classification of your own making, or a built-in data classification provided by Umbrella. (See Manage Data Classifications and Built-In Data Classification Templates.) Hover over PREVIEW to view data identifiers associated with each data classification.
- Add up to 10 case-sensitive file label names to apply to this rule. The rule will search for any of the configured file label names in the value of the files' document properties. This includes Microsoft Office Document Properties, Microsoft Office Sensitivity Labels, and Adobe PDF Document Properties. File uploads to Confluence and Jira are not scanned for file labels.
Note: A DLP rule can be configured with either data classifications or file labels or both. When a DLP rule is configured with both, then a DLP event is raised when any of the selected data classifications and when any of the configured file labels are detected in the inspected file.
Microsoft Sensitivity Labels
Umbrella currently supports detection of Microsoft sensitivity labels in the file properties’ values of the inspected file for Microsoft Word, Excel, PowerPoint, and .pdf files. Ensure you configure the rule with the name of the sensitivity labels, not the Display Names.
- Select identities to apply to this rule.
- Under Destinations, select All Destinations or Select Destination Lists and Applications for Inclusion.
- All Destinations—Monitors all web requests and blocks all file uploads matching the identities selected on the rule.
- Select Destination Lists and Applications for Inclusion—Monitors all web requests and blocks all file uploads matching the identities selected on the rule, the selected destination lists, and supported applications.
a. When Select Destination Lists and Applications for Inclusion is selected, you can add a new destination list to the rule. Click Add New List.
Note: Adding a new destination list to the rule here will automatically add it for inclusion.b. Name your list, enter the destinations, and click Add. Click Save.
- Check the checkbox Select Destination Lists and Applications for Exclusion and select destinations to exclude from this rule.
a. When Select Destination Lists and Applications for Exclusion is selected, you can add a new destination list to exclude in the rule. Click Add New List.
Note: Adding a new destination list to the rule here will automatically add it for exclusion.
b. Name your list, enter the destinations, and click Add. Click Save.
Note: When a destination list is selected for both inclusion and exclusion in a rule, it will automatically be excluded. Exclusion destination lists always override inclusion destination lists. Similarly, if a domain is include on an inclusion destination list and an exclusion destination list, the domain will be excluded.
Under Action, from the drop-down list, choose Monitor or Block.
Monitor—Monitor file uploads and data submitted in web forms.
The rule will search for content that matches supported workflows (See Supported Applications) and policy-configured destinations and identities.- Block—Block file uploads.
The rule will search for content that matches supported workflows (See Supported Applications) and the policy-configured destinations and identities. When content matches these workflows, the rule blocks the content.
- Click Save.
Note: All fields must have options selected to save.
Manage the Data Loss Prevention Policy < Add a Real Time Rule to the Data Loss Prevention Policy > Understand Exclusions in a Real Time Rule
Updated about a month ago