I want to create an email protection rule in DLP 11.2 to flag emails to external email addresses. If I create an exception for internal emails and flag everything else then users can bypass this rule by also including internal recipient (in to, cc or bcc fields) as well as an external recipient. How can I get rule to trigger if external recipient is included in any fields (regardless if internal email address is also included)?
Not sure, if you are still looking for a solution.
However, existing DLP Rules should be able to achieve it. Is about Email Protection rule or a Web Post protection rule?
We can create List of Email addresses based on Sender and Recipients. If you can share some more details, probably screenshots and Incidents, then it will help in understanding your requirement in a better way.
It's an email protection rule. I am interested in recipients. I want to flag emails which are sent to an external email address. eg. email@example.com
If the email address is internal eg. firstname.lastname@example.org then it should not be flagged by DLP unless it is also being sent to external email address. eg. if email@example.com is in "To" field and firstname.lastname@example.org is in "Bcc" field then this should be flagged.