Forum Discussion

Paul_Doucette's avatar
Paul_Doucette
Copper Contributor
Sep 06, 2024

Incorrect alert information for DLP incidents being displayed

We have an *AND* statement within our DLP rules across the organization policy set where only one of the two conditions within the "AND" is firing and we're getting alerts that are not showing all th...
Paul_Doucette's avatar
Paul_Doucette
Copper Contributor
Sep 06, 2024

Paul_Doucette example of rule that is processed correctly but is displayed in alert limited

 

  • Vas_Stoev's avatar
    Vas_Stoev
    Copper Contributor
    Sep 06, 2024
    It is also important to note that the condition before the "OR" statement is using a high threshold count so that it only triggers above 100 detections. The statement after the "OR" operator is lower threshold, but it requires a dictionary SID match

Resources