Policy Rule Wizard – Condition
Use the Condition tab of the Policy Rule wizard to define the rule:
- Use the drop-down box next to This rule monitors to select one of the following options:
- To trigger the rule on any content without analysis, select All activities. This may lead to large numbers of incidents.
- To monitor one or more specific classifiers, select Specific data, then use the in drop-down list to indicate when to trigger incidents.
- Select all parts of the transaction as a whole to trigger an incident if the sum of all matches in the transaction exceeds the configured threshold. For example, if the threshold is 3, then a transaction with 2 matches in the message body and one match in the subject line triggers an incident.
- Select each part of the transaction separately to trigger an incident triggered only when the threshold is reached in any one part of the transaction. For example, there would have to be 3 matches in the body or 3 in the subject line or other message part for an incident to be triggered.
- Click Add, then use the drop-down list to:
- Select Patterns & Phrases to add a regular expression, key phrase, script, or dictionary classifier.
- Select File Properties to add a file name, type, or size classifier to the condition.
- Select Fingerprint to add a file or database fingerprint classifier to the condition.
- Select Machine Learning to add a machine learning classifier to the condition. Machine learning lets administrators provide examples of the data that to protect, so the system can learn from them and identify items of a similar nature.
- Define a Transaction Size to detect transactions of the specified size or larger.
- Define a Number of Email Attachments (email transactions only) to detect email messages with a certain number of attachments or greater.
- Define a Number of Email Destinations (email transactions only) to detect messages sent to a specified number of domains or greater.
To delete a condition from the rule, select the condition and click Remove.
To edit a condition’s threshold (the number of matches that trigger an incident), click a hyperlink in the Properties column. See also, Viewing or editing conditions and thresholds section.
With dictionary classifiers, the weights of the dictionary’s phrases are taken into account when determining if a threshold is reached. See Adding a dictionary classifier section for more information.
- Repeat the previous step to add additional content classifiers, as needed.
- If more than one condition is defined, indicate when the rule should be triggered:
- If all of the selected conditions must be matched to trigger the rule, select All conditions matched.
- If only one of the selected conditions must be met, select At least one of the conditions matched.
- To define conditions for the rule, select Custom, then:
- Double-click a condition name to add it to the formula box.
- Click the And, Or, or Not button to define a condition.
Optionally add parentheses, as in any mathematical operation. For example:
(1 AND 2) OR (3 AND 4) OR 5
Each number corresponds to a condition (1 is the first condition, 2 is the second, and so on).
- Double-click another condition name.
- Continue until the condition is fully defined.
Click the information icon on the right of the box to view a precise description of the condition that has been defined.