There are two block status:
- A soft block can be released after incident mgmt. Primarily for DiM-Mail events and in case of some cloud events
- A hard block takes the original permanently out of the game
Soft Block after blocking action - proposed status - "in remediation" or similar.
In case it was a false/positive after remedition, you can to release the original or make sure, the same situation will not be blocked again. In this case "closed/false-positive" or similar is probably what you want.
Hard block after blocking action - DLP activity is done - proposed status - "closed/true-positive" or similar.
In case it was a false/positive anyway, The status can be changed to "closed/false-positive" or similar. In this case policy tuning is requried.
In general you should create a "final state machine". I hope this was the answer you were looking for.
Original Message:
Sent: Jan 06, 2023 02:09 PM
From: LAXMAN SHRESTHA
Subject: how do we categorize blocking policy?
when the blocking policy in DLP block the incident, how do we categorize the incident ? should we change the status to false positive or something else? please advise.