Data Loss Prevention

  • Private Community

  • 1.  Whitelist Domain Recipient Rule

    Posted Feb 12, 2018 03:21 PM

    All,

    Trying to find the best way to create a policy that triggers an incident when a user accesses an URL outside an specific list of domains. Ideally would like to have 5 or 6 domains listed that would not trigger an incident. Everything else, we would like an incident to be made. The detection would be made from Network Prevent for Web servers.

    Please let me know if you have any ideas of how this could be done.

    Thank you,



  • 2.  RE: Whitelist Domain Recipient Rule

    Posted Feb 13, 2018 08:46 AM

    Hi J, so there are two ways to exclude domains for Web prevent. One is at the Web prevent server level and the other is at the policy level. To exclude the domains from a policy use the Groups tab, add an exception, exception type is "recipient Matches Pattern", and in the pattern section use the "URL Domain" field to populate the domain names you are not interested in. Match counting does not apply to web prevent.  To exclude domains across the board for all web policies go to the console, System / Servers and detectors / select your web prevent server.  Choose configure and in the "Request Filtering" section, under "ignore requests to hosts or domains" input your domain names you are not interested in.



  • 3.  RE: Whitelist Domain Recipient Rule

    Posted Feb 14, 2018 02:44 PM

    This is a good thought, but I'm not trying to make an exception, ignore other traffic, or exclude anything. I am simply trying to create an incident when there is traffic going to an recipent outside of an domain list I specify. For example, if I specify three domains like google.com, symantec.com, and espn.com in a rule. I would like to trigger an incident for when an user accesses yahoo.com or any other domain that isn't one of the three I listed. There is a very unique use case for this rule and not sure if it can be done; since it would likely cause a lot of false postivies in a majority of environments. 



  • 4.  RE: Whitelist Domain Recipient Rule

    Posted Feb 15, 2018 12:43 PM

    you wrote ". I am simply trying to create an incident when there is traffic going to an recipent outside of an domain list I specify".  Outside of a domain list, to me, means that domain list becomes your exclude list.  Detect all traffic except (outside of) this domain list.  If you also need to detect traffic for that same domain list then you will need two policies.  One policy to detect traffic TO that domain list and one to detect traffic to everything except/outside of that domain list.



  • 5.  RE: Whitelist Domain Recipient Rule

    Posted Jul 04, 2018 11:21 PM

    How about white list https://example.com/code ?