This article gives instructions on how to properly configure and customize the filter settings in Email DLP Admin Console in order to best suit your organization's environment.
This guide is consists of three parts:
1) Define Address Groups
2) Define Rule Groups
3) Define Filters
4) Define Encryption
1) Define Address Groups
a) Create Address Group
b) Edit Address Group
c) Delete Address Group
d) Synchronize email groups from G-Suite/Microsoft 365
a) Create Address Group
☆ 1 - Go to "Define Address Groups" under the "Account" menu in the left pane and click "+ Create".
☆ 2 - Fill in the "Group Name" and the list of email addresses in the "Addresses" field. Click "+ Create" to create the address group.
*Notes:
- Email addresses must be in lower case.
- Please input Envelope-To or Envelope-From addresses in mail groups.
- Address groups will be used in the "Define Filter" and the "Define Encryption Policy" steps.
b) Edit Address Group
You can add or edit email addresses in the address groups by clicking on the pencil icon on the right side as shown in the image below.
c) Delete Address Group
You can delete address groups by clicking on the trash bin icon on the right side as shown in the image below. A confirmation dialog will appear. Click "Delete" again to confirm deleting the address group.
*Note - If you delete an address group that is in use, the filters and encryption policies that use this address group will also be deleted.
2) Define Rule Groups
a) Create Rule Group
b) Add New Rule
c) Edit/Delete Rule
a) Create Rule Group
☆ 1 - Go to "Define Rule Groups" under the "Filter" menu in the left pane and click "+ Create" to create a new rule group.
☆ 2 - Enter the Group Name and click "+ Create"
b) Add New Rule
☆ 1 - Go to the rule group that you have just created and c lick on the arrow icon. Click on the plus sign to add a rule to the group :
1) Rule Name: Enter the rule name.
2) Priority: The priority must be between 1 and 99999. A lower value corresponds to a higher priority. Therefore, a rule with priority 3 will be prioritized over one with priority 4.
3) Action: Select the action such as:
- Send: Send the email directly right away.
- Suspend: Suspend the email for a period of time before sending.
- Discard: Discard the email right away.
4) Additional Information: When an action is selected, the additional information field will be displayed differently depending on the action selected.
- Additional Bcc recipients: You can specify the additional Bcc: header. Multiple email addresses can be specified using one address per line. You can add a maximum of five addresses.
- Encrypt attachments: You can specify whether the attachment file should be encrypted or not.
- Suspension Time (Minutes): If "Suspend" is selected, you are required to specify the period of time the email is going to be suspended before being sent automatically.
- Do not release the suspension automatically: You can determine whether the email shall remain suspended even if the Suspension Time has passed. If the checkbox is checked, the Suspension Timer will be disabled. Note that the email can remain in the suspension period for up to 10 days before being deleted.
- Visible to people in From Address Group: If this option is selected, when the email matches the rule, the email will be shown in the Suspension mailbox (Group) of other members who are in the same Address Group as the sender. Other members can "Send", "Discard", and "Stop" the email on behalf of the sender. (Reference: HENNGE Email DLP User Console Guide)
Note: If "Discard" is selected, the Additional Information will not be displayed.
☆ 2 - In the Additional Information section, there are a number of configurations as shown below:
1) Notification: Set a notification email to be sent to the sender.
2) Rule Conditions:
- Match all of the following (AND): Select this option to apply all the conditions you define for the filtering rule.
- Match any of the following (OR): Select this option to apply any one of the conditions you define for the filtering rule.
- Match all messages: Select this option to apply the conditions to all emails.
3) Target: Select one option below to specify the factor that you want to set the filter for.
- To: Email addresses in the To: field
- Cc: Email addresses in the Cc: field
- To/CC: Email addresses in the To: or Cc: field
- Subject: Subject of the email
- Optional Header: Specify to search for keywords only from emails with certain headers.
- Envelope-To: Email addresses in Envelope-TO header. Note that this refers to the RCPT TO part of the SMTP communication.
- Envelope From: Email addresses in Envelope-FROM header.
- Message Body(include attachment(s)): Select this option to inspect for the keywords contained in the message body and attachments.
- Attachment: Select this option to check if the attachment exists or not.
If one of (To:) or (Cc:) or (To/Cc:) is selected, you will be given two options for specifying the type of pattern.
- Email Address: Specify by email address (example of the value in Pattern field: "aaa@example.com")
- Domain Part: Specify by domain address (example of the value in Pattern field: "@example.com")
If "Optional Header" is selected, the field for specifying the header to filter will appear as shown above. You can refer to this article for how to set Optional Header: What is Optional Header for?
4) Predicate: Select the option as a predicate between the Target and Pattern fields:
- exists: Apply the rule if the value in the Pattern field exists in the Target selected.
- does not exist: Apply the rule if the value in the Pattern field does not exist in the Target selected.
- matches regular expression: Apply the rule if the Target matches the regular expression value specified in the Pattern field.
- does not match the regular expression: Apply the rule if the Target does not match the regular expression value specified in the Pattern field.
- exists in address group: Apply the rule if the Target exists in the address group.
Note that if the "exists in address group" option is selected, the Pattern field will appear for you to specify the Address Group.
If "Attachment" is selected in the Target field, the following options will appear in Predicate.
- with filename: Apply the rule if the value set in the Pattern field is found in the filename of the attachment.
- with Content-Type: Apply the rule if the value set in the Pattern field is found in the content-type of the attachment.
- are all password-protected data: Apply the rule if all attachments are password-protected data.
- contains password-protected data: Apply the rule if one or more attachments are password-protected data.
5) Pattern: Enter the email address, domain address, keyword, or regular expression you wish to apply as a rule condition.
The following separators and regular expressions can be used in this field:
- (|) Vertical bar separator: this acts as a logical OR. (Example: "aaa@example.com|bbb@example.com" will specify both "aaa@example.com" and "bbb@example.com")
- Regular expression: can be used to substitute for any other character or specific characters in the string.
* The preceding item will be matched zero or more times.
? The preceding item is optional and matched at most once.
[...] A bracket expression: It matches any single character in the list.
[...,...,...] A set expression: It matches any set of characters in the list.
*Notes
- It may take a longer time for HENNGE Email DLP system to inspect an email if you use a regular expression that matches with most characters and numbers such as ".*"
- If the Predicate is selected as "matches regular expression" or "does not match regular expression", it allows a query to search emails using the regular expression as defined in rex.
6) Count: Specify the frequency of the value you have input in the Pattern field. For instance, if the keyword "Confidential" is set in the Target field and the Count is set as "3", the email that contains the word "Confidential" more than 3 times will be applied to this rule.
*Note - You can set the "Count" when the "Target" is NOT "Attachment" and the "Predicate" is one of the following: "exists", "matches regular expression" or "does not match regular expression".
☆ 3 - If you want to add another "Rule Conditions", click the "+ Add" button on the right side.
1) Message Size(KB): You can specify the size of the email messages you want to apply the rule to. The rule will be applied when the message is larger than the specified size.
After specifying all the conditions, click "+ Add" to create the Rule.
☆ 4 - If you want to add a new Rule to the Rule Group, click the Plus sign on the bottom right of the Rule Group.
c) Edit/Delete Rule
☆ - You can edit the rule by clicking on the gear icon. You can delete the rule by clicking on the trash bin icon as shown below.
3) Define Filters
a) Create Filter
b) Edit/Delete Filter
a) Create Filter
☆ 1 - Go to "Define Filter" under the "Filter" menu in the left pane. Click "+ Create" to create a new Filter.
☆ 2 -In the "Create Filter" window, you can specify the following:
1) Priority: The priority must be between 1 and 99999. A lower value corresponds to a higher priority.
2) Sender: Select the Address Group for the filter. You can select "All" if you wish for the rule to be applied to all senders.
3) Recipient: Select the Address Group for the filter. You can select "All" if you wish for the rule to be applied to all recipients.
4) Rule Group: Select the Rule Group.
b) Edit/Delete Filter
☆ - You can Edit the filter by clicking on the gear icon. You can delete it by clicking on the trash bin icon as shown below.
4) Define Encryption
a) Create Encryption Type
b) Edit/Delete Encryption Type
c) Create Encryption Policy
a) Create Encryption Type
☆ 1 - Go to "Define Encryption Type" under the "Encryption" menu in the left pane. Click "+ Create" to create a new encryption type.
1) Name: Enter the encryption type name.
2) Password Type: You have the option of selecting a password generated randomly every time, or using a fixed password.
3) Encoding of Filename: This will be the encoding type for the ZIP encryption of the attachment.
4) Notification: You can select the encryption password to be sent to the sender and/or the recipient.
5) ZIP Filename: The filename of the resulted ZIP encrypted file.
6) File Extensions Not Encrypted: File extensions to skip zip encryption.
b) Edit/Delete Encryption Type
☆ - You can edit the encryption type by clicking on the gear icon. You can delete it by clicking on the trash bin icon as shown below.
c) Create Encryption Policy
☆ 1 - Go to "Define Encryption Policy" under the "Encryption" menu in the left pane. Click "+ Create" to create a new encryption policy.
1) Priority:The priority must be between 1 and 99999. A lower value corresponds to a higher priority.
2) Sender: Select the Address Group for the filter. You can select "All" if you wish for the rule to be applied to all senders.
3) Recipient: Select the Address Group for the filter. You can select "All" if you wish for the rule to be applied to all recipients.
4) Encryption Type: Select the encryption type that will be applied for the created encryption policy.