cancel
Showing results for 
Search instead for 
Did you mean: 

Exclude users from triggering rules and creating Incidents

Jump to solution

Hi,

I am aware that there is an option for Privileged Users, however an Incident is still being raised if a rule is triggered. Is there a way or workaround to prevent Incidents from being raised for certain users and/or groups? 

We are currently excluding specific Systems from having the DLP Endpoint installed as workaround, but that is not an ideal solution since the users that we want to exclude, they do login on other Systems from time to time that have the DLP installed.

Many thanks in advance.

1 Solution

Accepted Solutions
fabhoo
Level 9
Report Inappropriate Content
Message 4 of 5

Re: Exclude users from triggering rules and creating Incidents

Jump to solution

Thats right, DLP has no user based policies, you have to chose system based policies. The recognition which user is logged on will be triggered within the Tag Criteria:

hghfgannt.PNG

Now, one problem with this could be that your user (which should not get any DLP block events) logs on and your upcoming agent to server communication interval is too far away, lets say for example 53 minutes. Until the next 53 minutes some DLP events may occur and will show up to the user, because the agent has not yet recognized that this special user is logged on.

To avoid that, create an additional Client Task for an Agent Wakeup and assign it like this to your System Tree:

dsfdfsannt.PNG

 5tr546nt.PNG

 
With this Task, at every user logon a system triggers an Agent Wakeup Call, recognizes which user is logged on and pulls the DLP OFF Tag (and policy, because of your Policy Assignment Rule) - or automatically deletes it, when a normal DLP user logs on.

Hope that helps 🙂

Regards
Fab

View solution in original post

4 Replies
fabhoo
Level 9
Report Inappropriate Content
Message 2 of 5

Re: Exclude users from triggering rules and creating Incidents

Jump to solution

Hi,

one way to realize this is to create a Policy Assignment Rule (with an empty or "silent" DLP policy) to systems based on Tags. Within the related Tag define the Criteria: User Name equals NameOfYourUser.
Make sure that within the Tag definition you have the Evaluation set to "Evaluate on each agent-server communication".

However, the downside is that you have to maintain user by user. The better way is to create a definition within the DLP Policy Manager. Under "Source / Destination" you will find "End-User Group". Here you are able to create user groups based on Active Directory groups (your LDAP server has to be available under "Registered Servers") and assign them as an exception to your Device Rule  (Exceptions > Excluded Users > End-User belongs to one of the end-user groups > Then select your recently created group.

With those exceptions you can "disable" DLP functionality for certain user(groups), no matter which system the log on to.

I hope this works for you!

Re: Exclude users from triggering rules and creating Incidents

Jump to solution

Thanks for your suggestions, the first option is ideal since we do not have that many users to be added. I am already using the system based policies assignment for DLP policies which is working great, however as soon as I try to create a user based policy assignment, for some reason the DLP is not listed under the Product drop-down menu. Is it possible that DLP policies cannot be assigned to users?

clipboard_image_1.png

The second option is also doable, but it will require to update all existing rules and ensure to the administrator adds the exclusion group whenever a new rule is created.

fabhoo
Level 9
Report Inappropriate Content
Message 4 of 5

Re: Exclude users from triggering rules and creating Incidents

Jump to solution

Thats right, DLP has no user based policies, you have to chose system based policies. The recognition which user is logged on will be triggered within the Tag Criteria:

hghfgannt.PNG

Now, one problem with this could be that your user (which should not get any DLP block events) logs on and your upcoming agent to server communication interval is too far away, lets say for example 53 minutes. Until the next 53 minutes some DLP events may occur and will show up to the user, because the agent has not yet recognized that this special user is logged on.

To avoid that, create an additional Client Task for an Agent Wakeup and assign it like this to your System Tree:

dsfdfsannt.PNG

 5tr546nt.PNG

 
With this Task, at every user logon a system triggers an Agent Wakeup Call, recognizes which user is logged on and pulls the DLP OFF Tag (and policy, because of your Policy Assignment Rule) - or automatically deletes it, when a normal DLP user logs on.

Hope that helps 🙂

Regards
Fab

View solution in original post

Re: Exclude users from triggering rules and creating Incidents

Jump to solution

Many thanks for your help 😃 much appreciated.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community