View or edit classifier settings

Use the Settings icon on the classifiers you can modify the condition's threshold.

This view displays the following:

1
Define the threshold for this content classifier: A condition’s threshold is the number of matches that trigger an incident. Select one of the following:
  • Use At least to select the minimum number of matches that must be made. Valid values are 1-999.
  • Use Between to select an exact range of matches that must be made. Valid values are 1-999.
  • Use No match to trigger the rule if there are no matches.

With dictionary classifiers, the weights of the dictionary’s phrases are considered when determining if a threshold is reached. See Create dictionary classifier section.

2
Define how to calculate the threshold: Select one of the following:
  • Count only unique matches for the transaction. Note that case differences are counted separately for word-related classifiers. For example, word, Word, and WORD would return 3 matches when this option is selected.
  • Count all matches, even duplicates
3
Analyzed fields: View and select the fields to search for this content classifier.
  • Select Search all available fields to search content fields that pose the highest risk of a policy breach. The fields are searched for the specified key phrases, regular expressions, dictionary terms, or fingerprints. This is the default.
  • Select Search specific fields to identify one or more fields to search. The fields apply mainly to the email destination channel.
    Field Description
    File/attachment Search files or attachments for each chosen destination channel.
    File metadata Search the metadata of files or attachments.
    Subject Search only the subject line of messages.
    Body Search only the main body of a messages.
    From Search only the From field of a message.
    To Search only the To field of a message (email only).
    Cc Search only the carbon copy field of a message (email only).
    Bcc Search only the blind carbon copy field of a message (email only).
    Other header (may by user-defined) Search in headers that are not covered by the above options:
    • Search in All headers not covered in the above options. Includes all standard headers—Date, Message-ID, or Importance—as well as nonstandard headers (x-headers, including x-mailer, x-spam-reason, and x-origin-ip) added during the sending of an email.
    • Search in User-defined header. Some organizations define x-headers to add custom information to the email message header. For example, they might create an x- header such as “X-MyCompany: Copyright 2017 MyCompany”.

      After selecting this option, enter the header name.

    If a selected field is not found in a transaction, it is ignored.

    For email messages, only sent email is analyzed. (When users save messages rather than sending them, breaches are not detected.)

    Some fields do not apply to all channels and are ignored for any non-applicable channel.