cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

DLP - removable Storage - Rules - definition question

Jump to solution

I am building a rule to monitor only USB removeable storage monitor only right now.

Bellow is the make up of the rule

I made up of 3 removable storage device definitions

1DEVDEF - RS_filesystem = contains all the windows file ssytems, fat, NTFS etc

2DEVDEF - RS File system access = read-write

3DEVDEF - bus type - USB

created a remove storage device rule to monitor only with all above definitions attached. UAG with the domain Users AD object for many different domains

When I due a query to show me all the machines that popped for this device rule i get ALOT of things that aren't bus type USB

GenFloppyDisk comes up alot. For the floppy the device details has no bus type only match in the details to my rule is the device file-system = read-write

I keep getting back floppy drivers and its not considered bus type of USB.

The question I have, should I not build out the device definitions serpatly like that. Should I build out the above Removable storage device definitions all into ONE definition with all the above selected in the one defintion.

The only reason I have split them out I heard the results are better (don't know how true that is)

building out a test rule now that is made up of ONE definition that has all the above selected and will post results. Might have to let it sit over night and see what happens

Message was edited by: sstretchh on 7/9/14 10:07:16 AM CDT
1 Solution

Accepted Solutions
Highlighted

Re: DLP - removable Storage - Rules - definition question

Jump to solution

Within a rule, vertically it is an OR condition.

Within a device definition, vertically the parameters form an AND condition. Within the parameter, it is an OR condition.

View solution in original post

7 Replies
Highlighted

Re: DLP - removable Storage - Rules - definition question

Jump to solution

The more I am looking at the rules and defining the definations. will the rule trigger if it hits any of the defined definations or are is it only suppose to trigger if it hits all the definations ?

so I have one defination that has

- bus type - USB

- file system access - read-write

- file system type (NTFS, fat32, fat16, exfat)

I created a test rule to monitor for that above defination. Is the rule only suppoe to trigger if it meets at least one of each of the above or will it trigger if it meets any of the above ?

Highlighted

Re: DLP - removable Storage - Rules - definition question

Jump to solution

Within a rule, vertically it is an OR condition.

Within a device definition, vertically the parameters form an AND condition. Within the parameter, it is an OR condition.

View solution in original post

Highlighted

Re: DLP - removable Storage - Rules - definition question

Jump to solution

Want to make sure I understand your reply.

If I Make ONE Device Definition and select a lot of things, and only include that ONE definition in the rule  its more restrictive if the rule will trigger.

If I make a lot of device definitions and include many definations in the rule, I will pop more wider results as the random defintions start matching.

That would explain my weird results I am getting

Highlighted

Re: DLP - removable Storage - Rules - definition question

Jump to solution

yes

Why not create the AND condition within one single Device Definition?

Message was edited by: vimalnavis on 7/14/14 10:14:09 AM CDT
Highlighted

Re: DLP - removable Storage - Rules - definition question

Jump to solution

Thats what I did, create it all in one. During some training I took I received some confliciting information. I was told to build out the device defintion indiviuall and add them all into ONE rule to get better results. I found I was getting broad results

When I saw the definintion definations I just wanted to know for my own sanity if that is another way to create the AND defination

I just asked the questions to make sure I was understanding how the rules worked.

I do apprecaite all your replies and help with that.

Re: DLP - removable Storage - Rules - definition question

Jump to solution

Both are valid ways of doing it. You would build the definitions depending on your requirement.

Set all the parameters in one definition if you are looking for an AND condition to narrow the scope. Use the multiple definition for an OR condition to increase the scope.

Highlighted

Re: DLP - removable Storage - Rules - definition question

Jump to solution

Does the use of removable STorage device Defintion groups work the same way ?

if I created a removable storage device definttion group with three definations selected. if I only added ONE defintion group in the rule. Would it be an AND condition once I have many defination in it ?

Message was edited by: sstretchh on 7/14/14 10:11:00 AM CDT
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community