I've found out MWG 7.2.0 had integrated DLP functions. I cannot find any documentation or examples of usage? Can you provide me rule examples for DLP Classification and DLP Dictionaries?
Official documentation is still in development, so I'll try to explain it in this answer...
DLP functionality in MWG 7.2 is provided by 2 filters: DLP Classification filter and DLP Dictionary filter. First filter (DLP Classification) allows to find documents that match to list of selected DLP Classifications (like URL Categories) - HIPAA, PCI, etc.. List of DLP Classifications is fixed. Second filter (DLP Dictionary) could be used to perform search for custom terms (regexes/wildcards and/or words), that aren’t covered by DLP Classification filter, for example, if you want to add list of people in board of directors in your company. DLP Dictionary could be used together with DLP Classification filter to augment its functionality (by using properties from both filters in one rule).
To use DLP Classification filter you need to create corresponding settings and select which DLP Classifications will be checked during data flltering. Besides list of DLP Classifications, you can specify additional settings, like Tracking Policy: minimum will mean that checking will stopped after 1st result, while maximum will continue checking until all entries will found.
After you created settings, you can create rule that will check is your data match to selected DLP Classifications, or not. You can use either DLP.Classification.BodyText.Matched, or DLP.Classification.AnyText.Matched properties. First property works on text, extracted from current body (document, or something like), while second, can process any text that is passed as first parameter. If filter finds something in given text, then these properties will be set to true, and you can find list of matched DLP Classifications in properties DLP.Classification.BodyText.MatchedClassifications or DLP.Classification.AnyText.MatchedClassifications, and matched terms in properties DLP.Classification.BodyText.MatchedTerms or DLP.Classification.AnyText.MatchedTerms.
To use DLP Dictionary filter you also need to create settings, and enter list of words and/or wildcards that will be checked in text. After creation of settings, you can use it with properties like DLP.Dictionary.BodyText.Matched, etc., similar to properties described above, but with name starting with DLP.Dictionary...
I'll try to answer to more questions if you'll have them, and I also hope that we'll have official documentation soon.
thank you for almost exhausting answer 🙂
1/ Under each of DLP Classification categories, there are some words hardcoded. Can you tell me whether the words are the same as in McAfee Data Loss Protection appliance?
2/ In DLP engine configuration there are "Reported Context width" and "Context List Size" parameters. Can you describe me the function?
3/ Wildcards in DLP Dictionaries. Can I use there GLOB or regex expression?
1) Not sure that they are same for all categories, but unification work is in progress. I need to ask another team for clarification
2) "Reported context width" is a size (in characters) of data before and after matching terms. Matching terms themselve will be put into square brackets. For example, if you have text "this is a test of detection" and looking for word "test" with "Reported context width" equal 3, then in MatchedTerms properties you'll get following: " a [ test ] of". This allows easier to find matched terms in your text. "Context List Size" defines maximal number of matched terms entries that will reported back by engine. If you have big number of classifications selected & 'maximum' tracking policy, then you can need to increase this parameter if you want to find all matched terms.
3) You can use globs - this is same as in other parts of MWG, but usually globs isn't useful, as they are usually transformed to ^....$ regex that should match whole string.
hope all is well?
Great to see that you are testing 7.2
We don't have any externally facing documentation at this stage, but I hope that Alex' answers provided you with good conclusions so far.
Docu of course to follow.