I would like to monitor and block the outgoing email traffic but without affecting existing users, just a test account.

Perhaps I should have clarified that I am already getting alerts from the Prevent without taking any actions. Now, let's say I have a test user and a system with a test policy assigned to it, what is going to happen if the user logs in on OWA from a different system with a different policy assigned?

Policy is system based and not user based. User Principal Name UPN) and User Logon Name (ULN) is used mainly for Incident /Reviewer group assignment

Hi @Linuxxo ,

To explain you in detail, can we know,

1) how did you setup your environment to receive alerts from the Prevent? 

2) What alerts (Incidents) are you receiving from DLP Prevent?

Kind Note: If you are using DLP Prevent then the DLP policy needs to be assigned to the DLP Prevent appliance and not to a user System as you have mentioned in your comment.

All email traffic or web traffic from your mail gateway or web gateway will be forwarded to the DLP Prevent and then DLP prevent takes action as per the DLP Prevent Email Protection Policy which you have created. If its OWA then you would need to use a Web Protection Rule.

Thank you.

Hi Suburra

1) I have just configured the Prevent appliances and the alerts starting coming in. I have checked this morning and noticed that the rules used to generate the alerts, are the ones I initially created to monitor Endpoints. I am not sure how that was automatically assigned to Prevent.

2) I receive alerts whenever a classification triggers the monitoring rule.

Assigning policy or rule sets to the appliances now is starting to make more sense, however I have not been able to find where it is being assigned.

Hi @Linuxxo ,

For a quick help I advise to raise a support case with McAfee Support, so that we can help you to find the assignments over the remote session.

Thank you.