Viewing or editing conditions and thresholds

Click a hyperlink in the Properties column on the Condition tab of the custom policy wizard to view and edit the properties of a condition line, including the name, description, and a variety of other details.

Note: See Fingerprint classifiers section for information about additional configurable properties that are unique to fingerprint classifiers.

Steps

  1. A condition’s threshold is the number of matches that trigger an incident. Select one of the following:
    • Use At least to select the minimum number of matches that must be made. Valid values are 1-999.
    • Use Between to select an exact range of matches that must be made. Valid values are 1-999.
    • Use No match exists to trigger the rule if there are no matches.

    With dictionary classifiers, the weights of the dictionary’s phrases are taken into account when determining if a threshold is reached. See Adding a dictionary classifier section.

  2. Define how the threshold numbers are calculated:
    • Count only unique matches for the transaction. Note that case differences are counted separately for word-related classifiers. For example, word, Word, and WORD would return 3 matches when this option is selected.
    • Count all matches, even duplicates.
  3. Under Analyzed Fields, view and select the fields to search for this content classifier.
    • Select Search all available fields to search content fields that pose the highest risk of a policy breach. The fields are searched for the specified key phrases, regular expressions, dictionary terms, or fingerprints. This is the default.
    • Select Search specific fields to identify one or more fields to search. The fields apply mainly to the email destination channel.
    Field Description
    File/attachment Search files or attachments for each chosen destination channel.
    File metadata Search the metadata of files or attachments.
    Subject Search only the subject line of messages.
    Body Search only the main body of a messages.
    From Search only the From field of a message.
    To Search only the To field of a message (email only).
    Cc Search only the carbon copy field of a message (email only).
    Bcc Search only the blind carbon copy field of a message (email only).
    Other header

    Search in headers that are not covered by the above options:

    • Search in All headers not covered in the above options. Includes all standard headers—Date, Message-ID, or Importance—as well as non-standard headers (x-headers, including x-mailer, x-spam-reason, and x-origin-ip) added during the sending of an email.
    • Search in User-defined header. Some organizations define x-headers to add custom information to the email message header. For example, they might create an x- header such as “X-MyCompany: Copyright 2017 MyCompany”.

    After selecting this option, enter the header name.

    If a selected field is not found in a transaction, it is ignored.

    For email messages, only sent email is analyzed. (When users save messages rather than sending them, breaches are not detected.)

    Some fields do not apply to all channels, and are ignored for any non-applicable channel.