Data Loss Prevention

 View Only
Back to discussions
Expand all | Collapse all

Keywords on Office documents not detected

  • 1.  Keywords on Office documents not detected

    Posted Apr 02, 2020 07:29 AM
    Hi team,

    We're using DLP Endpoint (both: Prevent & Protect)

    In our company, we use Titus to tag Office documents not only with visible watermarks but using two custom fields on document properties. Anyone can read those fields in Office (Document Properties > Advanced Properties > Custom fields)

    In particular, our company wants to prevent exfiltration for documents with specific values on thos fileds:


    FIELD         VALUE
    ======        ======
    DatClas1      Internal Use Only
    DatClas2      PII

    Then, I created a policy in the DLP console to detect & block any exfiltration attempt for documents with specific keywords on those fields.

    I configured a content matching condition based on keywords (Content Matches Keywords) using values in both fields: "Internal Use Only" and PII (we tested proximity between keywords from 5 to 999).

    However, when I test it, the documents can be exfiltrated without any detection (no blocks or incidents registered).

    Foremost, when content is tagged as watermarks in documents, everything works well. However, we need to protect documents tagged with this Custome filed in Office documents.

    Any suggestions?

    ------------------------------
    Juan
    ------------------------------


  • 2.  RE: Keywords on Office documents not detected

    Posted Apr 02, 2020 06:05 PM
    I just tried modifying rule as you can see below:

    Content Matches Keyword
    Case Sensitive: No
    Keyword Matches: Internal Use Only
    Match On Whole Word Only: Yes
    Match count: Count all matches and only report incidents with at least 1 matches
    Match On: Envelope, Subject, Body, Attachments



    I tested again, but the result is the same: no incidents registered on DLP. It appears that the DLP Endpoint agent cannot read this keyword in custom fields on Office documents.

    ------------------------------
    Juan
    ------------------------------

    Original Message


  • 3.  RE: Keywords on Office documents not detected

    Posted Apr 03, 2020 04:51 AM
    HI

    You have to enable metadata detection on the endpoint server .

    Please check the below link
    https://knowledge.broadcom.com/external/article?legacyId=TECH218860

    ------------------------------
    Fady Azab
    Senior Consultant
    CCIT GMBH
    ------------------------------

    Original Message


  • 4.  RE: Keywords on Office documents not detected

    Posted Apr 03, 2020 09:04 AM
    Thank you Fady,

    Yes, we did it. We enable medatadata detection on Endpoint server and Agent settings.

    BTW, even if we're using a specific set of keywords, we have to extract metadata format with filter utility?

    Thank you

    ------------------------------
    Juan
    ------------------------------

    Original Message


  • 5.  RE: Keywords on Office documents not detected

    Posted Apr 22, 2020 04:04 PM
    i believe not all of the property fields are inspectable by DLP.  I would first try inserting the keyword as plain text somewhere in a document.
    Confirm it is detected.  Then try inserting your keyword into all of the property fields, set the policy to count all instances, and compare what is detected and what is not.
    Original Message


  • 6.  RE: Keywords on Office documents not detected

    Posted Apr 24, 2020 07:23 PM
    I just checked the procedure to verify "file format metadata extraction support" using filter.exe utility.

    As a result, in output file appears data I want to configure on detection rule.

    ====== this is a summary of output file ====
    1 1 "Internal Use Only" DatClass1
    1 1 "PII" DatClass2
    ====== this is a summary of output file ====


    So, DLP can detect those values on metadata. 

    However, I test rule again, and nothing happens.

    Do you have any suggestions on rule configuration?

    Thank you in advance



    ------------------------------
    Juan
    ------------------------------

    Original Message


  • 7.  RE: Keywords on Office documents not detected

    Posted Apr 27, 2020 04:11 PM
    can you show us the policy?
    Original Message


  • 8.  RE: Keywords on Office documents not detected

    Posted Apr 28, 2020 11:29 AM
      |   view attached
    Thank you DLP Freak.

    Here is a snapshot of policy using word "CONFIDENCIAL".

    Thank you for help

    ------------------------------
    Juan
    ------------------------------

    Original Message


  • 9.  RE: Keywords on Office documents not detected

    Posted Apr 28, 2020 12:17 PM
    remove the sender group condition and test solely the keyword match rule.  The response rule should be fine to stay.  When testing put the keyword in the file properties where you want to detect as well as somewhere in the body of the file.
    Original Message


  • 10.  RE: Keywords on Office documents not detected

    Posted Apr 30, 2020 06:01 PM
    Hi DLP Freak

    I tried several combinations. When the keyword is in the document's body agent detects content and raises the incident. However, the detection of the keyword on metadata (MS Word) is not working.

    Any additional suggestions?

    Juan

    ------------------------------
    Juan
    ------------------------------

    Original Message


  • 11.  RE: Keywords on Office documents not detected

    Posted Apr 28, 2020 04:40 PM
    Thank you DLP Freak, I'll try removing "the sender group condition". 

    Just to clarify, after adjusting policy, must I force endpoint agents to retrieve these changes? or updating process is automatic?

    Thank you

    Juan

    ------------------------------
    Juan
    ------------------------------

    Original Message


  • 12.  RE: Keywords on Office documents not detected

    Posted Apr 29, 2020 08:17 AM

    The endpoint agents update automatically every 15 minutes by default.  FYI you can create an agent configuration which updates every minute and put test machines into it via an agent group.

     

    Jeffrey LeVasseur | Cybersecurity, Risk & Resiliency | Data Loss Prevention

    Balancing productivity with protection

     

    Travelers

    1 Tower Square, PB03 

    Hartford, CT 06183

    W: 860-954-0507 

     



                  

     

    This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended to be for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is prohibited.

    TRVDiscDefault::1201



    Original Message


  • 13.  RE: Keywords on Office documents not detected

    Posted May 07, 2020 01:30 PM
    Hi DLP Freak

    I tried several combinations. When the keyword is in the document's body agent detects content and raises the incident. However, the detection of the keyword on metadata (MS Word) is not working.

    Any additional suggestions?

    ------------------------------
    Juan
    ------------------------------

    Original Message


  • 14.  RE: Keywords on Office documents not detected

    Posted May 07, 2020 02:11 PM

    And you're positive you have the Endpoint Server configured to inspect metadata?

     

     

    Jeffrey LeVasseur | Cybersecurity, Risk & Resiliency | Data Loss Prevention

    Balancing productivity with protection

     

    Travelers

    1 Tower Square, PB03 

    Hartford, CT 06183

    W: 860-954-0507 

     



                  

     

    This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended to be for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is prohibited.

    TRVDiscDefault::1201



    Original Message


  • 15.  RE: Keywords on Office documents not detected

    Posted May 07, 2020 02:22 PM
    Yes, I double-checked this.

    ------------------------------
    Juan
    ------------------------------

    Original Message


  • 16.  RE: Keywords on Office documents not detected

    Posted May 07, 2020 02:30 PM

    I'm at a loss then.  Good luck.

     

    Jeffrey LeVasseur | Cybersecurity, Risk & Resiliency | Data Loss Prevention

    Balancing productivity with protection

     

    Travelers

    1 Tower Square, PB03 

    Hartford, CT 06183

    W: 860-954-0507 

     



                  

     

    This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended to be for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is prohibited.

    TRVDiscDefault::1201



    Original Message