1 Reply Latest reply on Nov 26, 2013 11:48 AM by keithdrone

    Help with tweaking a policy during a discover scan?  Too many false positive ssns


      Has anyone out there had any luck withNetwork DLP Discover in tweaking the North America Personally Identifiable Information policy to exclude certain false positives?  For example, if I wanted to exclude, as being detected as incidents, any values beginning with 001, would my rule look like this:


      Discover Query : [ Content Type is any of ( GZIP OR RAR OR TAR OR TNEF OR ZIP OR IMAP OR POP3 OR SMTP OR WebMail OR CSV OR Excel OR MSWord OR PDF OR Powerpoint OR WordPerfect ) ]  AND

      [ Concept is any of ( SOCIAL-SECURITY-NUMBER-THRESHOLD ) ]  AND

      [ Scan Operation is any of ( scan-shares ) ]


      Exception 1 - NOT (  [ Keywords contains any of ( 001* ) ]  )


      If not, what am I doing wrong?  A screen shot of my search is attached.