cancel
Showing results for 
Search instead for 
Did you mean: 

More information after a DLP trigger

Right now we are just monitoring with the DLP rules.  Basically we just get an email saying the rule was triggered and then I go hit the DLP log created from the builtin rule.

I know I can pretty up the email and send more information, but is there more relevant info than what is in the DLP log?  For example, this one hit this morning:

[17/Oct/2013:10:31:38 -0500] "-" 10.3.21.61 205.188.138.183 200 "POST http://mail.aol.com/38109-111/aol-6/en-us/common/rpc/RPC.aspx?user=C3MTTH4Rsm&transport=xmlhttp&r=0.... HTTP/1.1" "SOX Compliance - Compensation and Benefits" "Minimal Risk" "application/json" 1526 204137 "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "0" "" "-"

Since that was AOL Mail, it is concerning, but at the same time, might have been nothing, so before we go jumping onto people, it would be nice to have a better idea of the content of the POST.

Thanks

JD

5 Replies

Re: More information after a DLP trigger

Double-edged sword.

Yes, you can log the actual content that was matched on, but that could expose sensitive information.

Do you want to risk that?

DLP.Classification.BodyText.MatchedClassifications: Payment Card Industry - Credit Card Number Violations

DLP.Classification.BodyText.MatchedTerms:

Classification: 'Payment Card Industry - Credit Card Number Violations': '7-55-5462 [ Credit Card ] Type Cred',

Classification: 'Payment Card Industry - Credit Card Number Violations': 'n Express [ 378282246310005  ]American E',

Classification: 'Payment Card Industry - Credit Card Number Violations': '7-55-5462 [ Credit Card ] Type Cred',

Classification: 'Payment Card Industry - Credit Card Number Violations': 'sterCard  [ 5555555555554444  ]MasterCard',

Classification: 'Payment Card Industry - Credit Card Number Violations': '7-55-5462 [ Credit Card ] Type Cred',

Classification: 'Payment Card Industry - Credit Card Number Violations': '5100 Visa [ 4111111111111111  ]Visa 40128',

Classification: 'Payment Card Industry - Credit Card Number Violations': '7-55-5462 [ Credit Card ] Type Cred',

Classification: 'Payment Card Industry - Credit Card Number Violations': 'ners Club [ 30569309025904  ]Diners Clu',

Classification: 'Payment Card Industry - Credit Card Number Violations': '7-55-5462 [ Credit Card ] Type Cred',

Classification: 'Payment Card Industry - Credit Card Number Violations': 'Discover  [ 6011111111111117  ]Discover 6'

Message was edited by: eelsasser on 10/17/13 1:47:50 PM EDT

Re: More information after a DLP trigger

Yes.  The only ones with access to the MWG are within the security dept.  Specifically with regard to CC #'s, we are a level 1 merchant, and NO cc numbers are to be stored, much less transmitted.  We also maintain SOX compliance.  We can always tune it back, but right now we are trying to understand what might be getting out...

Highlighted

Re: More information after a DLP trigger

Store DLP.Classification.BodyText.MatchedTerms to a user-defined variable as an event occurs and write it to to the log.

Because special characters may be contantained in the data string like quotes, i would suggest at least base64encoding them, also to further obfuscate them.

Re: More information after a DLP trigger

Plesae forgive my ignorance, but i cannot seem to figure this out.  I actually have a rule that already sets User-Defined.DLP.MatchedTerms=DLP>Classification.BodyText.MatchedTerms<PCI> but if I try to add it to the logline, or an email body, when I do parameter property, User-Defined.DLP.MatchedTerms isnt in the list.  Tried doing a stringreplaceif, and same thing, that property isnt availabled in the list...

what am i missing?

Re: More information after a DLP trigger

List.OfString.ToString(User-Defined.DLP.MatchedTerms,", ")

It's not just one string, but a list of strings that contains all the violations.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community