Complete rules of the Data Loss Prevention (DLP) rule set

When working with the complete rules of the Data Loss Prevention (DLP) rule set, all rules and rule elements of this rule set can be viewed and configured.

Library rule set – Data Loss Prevention (DLP)
Criteria – Always
Cycles – Requests (and IM), Responses, Embedded objects

The following rule sets are nested in this rule set:

  • DLP in Request Cycle
  • DLP in Response Cycle

    This rule set is not enabled by default.

DLP in Request Cycle

This nested rule set blocks requests that are sent from clients of our network to web servers if it is detected that sensitive content is involved. For example, a request to upload a file to the web that has sensitive content is blocked.

Nested library rule set – DLP in Request Cycle
Criteria – Cycle.TopName equals "Request"
Cycles – Requests (and IM), Embedded objects

The rule set criteria specifies that the rule set applies when a request is processed on the appliance.

The rule set contains the following rules:

Block files with HIPAA information
DLP.Classification.BodyText.Matched <HIPAA> equals true –> Block<DLP.Classification.Block> – Statistics.Counter.Increment (“BlockedByDLPMatch”,1)<Default>
The rule uses the DLP.Classification.BodyText.Matched property to check whether the body of the request that is currently processed contains text that is considered to be sensitive content. This text could, for example, be in a file that uploading to the web is requested for.
Text is considered to be sensitive content according to the HIPAA health care regulations. Use of the relevant information is configured as part of the module settings, which are specified after the property name.
If there is sensitive content in the text of a request body, the request is blocked. The settings of the Block action specify a message to the requesting user.
The rule also uses an event to count blocking due to a data loss prevention match.
Block files with Payment Card Industry information
DLP.Classification.BodyText.Matched <Payment Card Industry> equals true –> Block<DLP.Classification.Block> – Statistics.Counter.Increment (“BlockedByDLPMatch”,1)<Default>
The rule uses the DLP.Classification.BodyText.Matched property to check whether the body of the request that is currently processed contains text that is considered to be sensitive content. This text could, for example, be in a file that uploading to the web is requested for.
Text is considered to be sensitive content according to the regulations that apply for payment cards. A credit card number would, for example, be content under these regulations. Whether there is sensitive content in a text, is detected using appropriate information in the same way as for the HIPAA-related rule.
If there is sensitive content in the text of a request body, the request is blocked. The settings of the Block action specify a message to the requesting user.
The rule also uses an event to count blocking due to a data loss prevention match.
Block files with SOX information
DLP.Classification.BodyText.Matched <SOX> equals true –> Block<DLP.Classification.Block> – Statistics.Counter.Increment (“BlockedByDLPMatch”,1)<Default>
The rule uses the DLP.Classification.BodyText.Matched property to check whether the body of the request that is currently processed contains text that is considered to be sensitive content. This text could, for example, be in a file that uploading to the web is requested for.
Text is considered to be sensitive content according to the regulations of the Sarbanes-Oxley (SOX) act on public company accountability. Board meeting minutes would, for example, be sensitive content under this act. Whether there is sensitive content in a text, is detected using appropriate information in the same way as for the HIPAA-related rule.
If there is sensitive content in the text of a request body, the request is blocked. The settings of the Block action specify a message to the requesting user.
The rule also uses an event to count blocking due to a data loss prevention match.

DLP Response Cycle

This nested rule set blocks responses that are received on the appliance from web servers if it is detected that they contain inappropriate content, for example, discriminatory or offensive language.

Nested library rule set – DLP Response Cycle
Criteria – Cycle.TopName equals "Response"
Cycles – Responses and embedded objects

The rule set criteria specifies that the rule set applies when a response is processed on the appliance.

The rule set contains the following rule:

Acceptable use
DLP.Classification.BodyText.Matched <Acceptable Use> equals true –> Block<DLP.Classification.Block> – Statistics.Counter.Increment (“BlockedByDLPMatch”,1)<Default>
The rule uses the DLP.Classification.BodyText.Matched property to check whether the body of the response that is currently processed contains text that is considered to be sensitive content. This text could, for example, be in a file that is sent in response to a download request.
The module that ls called by the rule to find out whether there is inappropriate content in the response body uses appropriate information from classification lists. Use of these lists is configured as part of the module settings, which are specified after the property name.
If there is inappropriate content in the text of a response body, the response is blocked. The settings of the Block action specify a message to the user who the response should have forwarded to.
The rule also uses an event to count blocking due to a data loss prevention match.