5 Replies Latest reply: Oct 18, 2013 5:02 PM by eelsasser RSS

    More information after a DLP trigger

    cjoshdoll

      Right now we are just monitoring with the DLP rules.  Basically we just get an email saying the rule was triggered and then I go hit the DLP log created from the builtin rule.

       

      I know I can pretty up the email and send more information, but is there more relevant info than what is in the DLP log?  For example, this one hit this morning:

       

      [17/Oct/2013:10:31:38 -0500] "-" 10.3.21.61 205.188.138.183 200 "POST http://mail.aol.com/38109-111/aol-6/en-us/common/rpc/RPC.aspx?user=C3MTTH4Rsm&tr ansport=xmlhttp&r=0.8576647616922366&a=SendMessage&m=03242fbf084dfc&l=10504 HTTP/1.1" "SOX Compliance - Compensation and Benefits" "Minimal Risk" "application/json" 1526 204137 "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" "0" "" "-"

       

      Since that was AOL Mail, it is concerning, but at the same time, might have been nothing, so before we go jumping onto people, it would be nice to have a better idea of the content of the POST.

       

      Thanks

       

      JD

        • 1. Re: More information after a DLP trigger
          eelsasser

          Double-edged sword.

          Yes, you can log the actual content that was matched on, but that could expose sensitive information.

          Do you want to risk that?

           

          DLP.Classification.BodyText.MatchedClassifications: Payment Card Industry - Credit Card Number Violations

          DLP.Classification.BodyText.MatchedTerms:

          Classification: 'Payment Card Industry - Credit Card Number Violations': '7-55-5462 [ Credit Card ] Type Cred',

          Classification: 'Payment Card Industry - Credit Card Number Violations': 'n Express [ 378282246310005  ]American E',

          Classification: 'Payment Card Industry - Credit Card Number Violations': '7-55-5462 [ Credit Card ] Type Cred',

          Classification: 'Payment Card Industry - Credit Card Number Violations': 'sterCard  [ 5555555555554444  ]MasterCard',

          Classification: 'Payment Card Industry - Credit Card Number Violations': '7-55-5462 [ Credit Card ] Type Cred',

          Classification: 'Payment Card Industry - Credit Card Number Violations': '5100 Visa [ 4111111111111111  ]Visa 40128',

          Classification: 'Payment Card Industry - Credit Card Number Violations': '7-55-5462 [ Credit Card ] Type Cred',

          Classification: 'Payment Card Industry - Credit Card Number Violations': 'ners Club [ 30569309025904  ]Diners Clu',

          Classification: 'Payment Card Industry - Credit Card Number Violations': '7-55-5462 [ Credit Card ] Type Cred',

          Classification: 'Payment Card Industry - Credit Card Number Violations': 'Discover  [ 6011111111111117  ]Discover 6'

           

          Message was edited by: eelsasser on 10/17/13 1:47:50 PM EDT
          • 2. Re: More information after a DLP trigger
            cjoshdoll

            Yes.  The only ones with access to the MWG are within the security dept.  Specifically with regard to CC #'s, we are a level 1 merchant, and NO cc numbers are to be stored, much less transmitted.  We also maintain SOX compliance.  We can always tune it back, but right now we are trying to understand what might be getting out...

            • 3. Re: More information after a DLP trigger
              eelsasser

              Store DLP.Classification.BodyText.MatchedTerms to a user-defined variable as an event occurs and write it to to the log.

              Because special characters may be contantained in the data string like quotes, i would suggest at least base64encoding them, also to further obfuscate them.

              • 4. Re: More information after a DLP trigger
                cjoshdoll

                Plesae forgive my ignorance, but i cannot seem to figure this out.  I actually have a rule that already sets User-Defined.DLP.MatchedTerms=DLP>Classification.BodyText.MatchedTerms<PCI> but if I try to add it to the logline, or an email body, when I do parameter property, User-Defined.DLP.MatchedTerms isnt in the list.  Tried doing a stringreplaceif, and same thing, that property isnt availabled in the list...

                 

                 

                what am i missing?

                • 5. Re: More information after a DLP trigger
                  eelsasser

                  List.OfString.ToString(User-Defined.DLP.MatchedTerms,", ")

                   

                  It's not just one string, but a list of strings that contains all the violations.