Has anyone out there had any luck withNetwork DLP Discover in tweaking the North America Personally Identifiable Information policy to exclude certain false positives? For example, if I wanted to exclude, as being detected as incidents, any values beginning with 001, would my rule look like this:
Discover Query : [ Content Type is any of ( GZIP OR RAR OR TAR OR TNEF OR ZIP OR IMAP OR POP3 OR SMTP OR WebMail OR CSV OR Excel OR MSWord OR PDF OR Powerpoint OR WordPerfect ) ] AND
[ Concept is any of ( SOCIAL-SECURITY-NUMBER-THRESHOLD ) ] AND
[ Scan Operation is any of ( scan-shares ) ]
Exception 1 - NOT ( [ Keywords contains any of ( 001* ) ] )
If not, what am I doing wrong? A screen shot of my search is attached.
SSN's are terrible for false positives. Try using some keyword validation, such as SSN, SSN#, Social Security, etc.