cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Linuxxo
Level 11
Report Inappropriate Content
Message 1 of 5
‎08-19-2019 07:37 AM

Exclude users from triggering rules and creating Incidents

Jump to solution

Hi,

I am aware that there is an option for Privileged Users, however an Incident is still being raised if a rule is triggered. Is there a way or workaround to prevent Incidents from being raised for certain users and/or groups? 

We are currently excluding specific Systems from having the DLP Endpoint installed as workaround, but that is not an ideal solution since the users that we want to exclude, they do login on other Systems from time to time that have the DLP installed.

Many thanks in advance.

0 Kudos
Reply
1 Solution

Accepted Solutions
fabhoo
Level 9
Report Inappropriate Content
Message 4 of 5
‎08-20-2019 06:49 AM

Re: Exclude users from triggering rules and creating Incidents

Jump to solution

Thats right, DLP has no user based policies, you have to chose system based policies. The recognition which user is logged on will be triggered within the Tag Criteria:

hghfgannt.PNG

Now, one problem with this could be that your user (which should not get any DLP block events) logs on and your upcoming agent to server communication interval is too far away, lets say for example 53 minutes. Until the next 53 minutes some DLP events may occur and will show up to the user, because the agent has not yet recognized that this special user is logged on.

To avoid that, create an additional Client Task for an Agent Wakeup and assign it like this to your System Tree:

dsfdfsannt.PNG

 5tr546nt.PNG

 
With this Task, at every user logon a system triggers an Agent Wakeup Call, recognizes which user is logged on and pulls the DLP OFF Tag (and policy, because of your Policy Assignment Rule) - or automatically deletes it, when a normal DLP user logs on.

Hope that helps 🙂

Regards
Fab

View solution in original post

0 Kudos
Reply
4 Replies
fabhoo
Level 9
Report Inappropriate Content
Message 2 of 5
‎08-19-2019 10:16 AM

Re: Exclude users from triggering rules and creating Incidents

Jump to solution

Hi,

one way to realize this is to create a Policy Assignment Rule (with an empty or "silent" DLP policy) to systems based on Tags. Within the related Tag define the Criteria: User Name equals NameOfYourUser.
Make sure that within the Tag definition you have the Evaluation set to "Evaluate on each agent-server communication".

However, the downside is that you have to maintain user by user. The better way is to create a definition within the DLP Policy Manager. Under "Source / Destination" you will find "End-User Group". Here you are able to create user groups based on Active Directory groups (your LDAP server has to be available under "Registered Servers") and assign them as an exception to your Device Rule  (Exceptions > Excluded Users > End-User belongs to one of the end-user groups > Then select your recently created group.

With those exceptions you can "disable" DLP functionality for certain user(groups), no matter which system the log on to.

I hope this works for you!

0 Kudos
Reply
Linuxxo
Level 11
Report Inappropriate Content
Message 3 of 5
‎08-20-2019 01:13 AM

Re: Exclude users from triggering rules and creating Incidents

Jump to solution

Thanks for your suggestions, the first option is ideal since we do not have that many users to be added. I am already using the system based policies assignment for DLP policies which is working great, however as soon as I try to create a user based policy assignment, for some reason the DLP is not listed under the Product drop-down menu. Is it possible that DLP policies cannot be assigned to users?

clipboard_image_1.png

The second option is also doable, but it will require to update all existing rules and ensure to the administrator adds the exclusion group whenever a new rule is created.

0 Kudos
Reply
fabhoo
Level 9
Report Inappropriate Content
Message 4 of 5
‎08-20-2019 06:49 AM

Re: Exclude users from triggering rules and creating Incidents

Jump to solution

Thats right, DLP has no user based policies, you have to chose system based policies. The recognition which user is logged on will be triggered within the Tag Criteria:

hghfgannt.PNG

Now, one problem with this could be that your user (which should not get any DLP block events) logs on and your upcoming agent to server communication interval is too far away, lets say for example 53 minutes. Until the next 53 minutes some DLP events may occur and will show up to the user, because the agent has not yet recognized that this special user is logged on.

To avoid that, create an additional Client Task for an Agent Wakeup and assign it like this to your System Tree:

dsfdfsannt.PNG

 5tr546nt.PNG

 
With this Task, at every user logon a system triggers an Agent Wakeup Call, recognizes which user is logged on and pulls the DLP OFF Tag (and policy, because of your Policy Assignment Rule) - or automatically deletes it, when a normal DLP user logs on.

Hope that helps 🙂

Regards
Fab

View solution in original post

0 Kudos
Reply
Linuxxo
Level 11
Report Inappropriate Content
Message 5 of 5
‎08-21-2019 04:49 AM

Re: Exclude users from triggering rules and creating Incidents

Jump to solution

Many thanks for your help 😃 much appreciated.

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC