Creating the HENNGE Email DLP Rule

Target

This article is intended for administrators who perform the initial setup and operational management of HENNGE Email DLP.

Purpose

This article explains how to create rules for HENNGE Email DLP.

Notes

1. The content of this article is based on the product specifications as of July 2023 and is subject to change without notice.

2. Actual screen verification and configuration changes require administrator privileges for HENNGE Email DLP. Refer to the following article for administrator setup:

Setting Up/Changing Administrators

3. The URL for the HENNGE Email DLP administration screen varies by customer tenant.

Example Access URL: https://console.mo.hdems.com/#/admin/[ Main Domain ]

4. It is necessary to create the relevant rule groups in advance.

Creating Rule Groups

Detailed Explanation / Procedure

Rule-related settings can be found in HENNGE Email DLP by logging in with an administrator account and navigating to the left menu [ Filter Settings ] - [ Rule Groups ].

create-rule-en-01.png

Table of Contents

1. Individual Rule Creation Method

2. Bulk Rule Creation Method

3. Rule Configuration Items

3.1. Group Name

3.2. Rule Name

3.3. Description

3.4. Priority

3.5. Action

3.6. Notification

3.7. Rule Conditions

3.8. Message Size

1. Individual Rule Creation Method

1.1. Select the target rule group.

create-rule-02.png

1.2. Select [ + Create New Rule ].

create-rule-03.png

1.3. Enter each item and select [ + Create ].

create-rule-04.png

2. Bulk Rule Creation Method

It is possible to create filters in bulk using either YAML or JSON files.

YAML File Example:

version: 1
rule_groups:
- name: External Recipient Rule
 rules:
  - priority: 100
   name: Hold for 5 Minutes if All Files Are Password Protected
   action:
     type: suspend
     attribute:
       auto_release: true
       duration: 5m
   predicate: and
   predicates:
   - target: attachment
     predicate: all-password-protected-data
     pattern: ""
     count: 0
 - priority: 110
   name: Delete if ZIP Is Attached
   action:
     type: delete
     attribute: {}
     notifies:
     - type: notify_sender
   predicate: and
   predicates:
   - target: attachment
     predicate: filename-match
     pattern: \.zip$
     count: 1
 - priority: 120
   name: Hold for 5 Minutes + HENNGE Secure Download
   action:
     type: suspend
     attribute:
       auto_release: true
       duration: 5m
     secure_transfer: true
   predicate: all

For data creation using either YAML or JSON files and details about new creation and overwriting, refer to the following pages:

Creating Import Data (Setting File) for Email DLP

Differences Between Overwriting and Creating in Import Methods

3. Rule Configuration Items

3.1. Group Name

The rule group name will be automatically entered.
In this procedure, you cannot change the rule group name.
If you want to edit the rule group name, refer to the following article:
Editing Rule Groups

3.2. Rule Name

Enter any name you want.
This content will be applied to the insertion tag ((%RULE-NAME%)) available for use in notifications (filters).

※ Rule name must be within 256 characters.

3.3. Description

Enter an optional description. Entering this field is not mandatory.
This content will be applied to the insertion tag ((%RULE-DESCRIPTION%)) available for use in notifications (filters).

※ Rule description must be within 1024 characters.

3.4. Priority

Set the priority of the rule you want to create.

Rules are filtered in order from the one with the smallest priority number, and once a rule matches, further filtering by other rules will not be executed.

Priority can be specified in the range of 1 to 99999.

3.5. Action

3.5.1. Choose one of the following actions.

Send: The email will be sent immediately without being held.

_____________.png

Hold: You can set it to be held for 1 to 999 minutes or [Do not send automatically].
If set to [Do not send automatically], it will be automatically deleted after 10 days if neither held nor deleted.
If you check [Allow sender address group members to perform the operation], other users belonging to the same address group as the sender can perform actions (view, send, delete).

_____________.png

Approval Request: Sent emails are held until approval by the approver previously set in the address group is obtained.
If no approval is obtained within 10 days, it will be automatically deleted.
For setting approval requests, refer to the following article:
Setting Approval Requests

_______________.png

Delete: Sent emails will be deleted on the HENNGE Email DLP.

_____________.png

 

3.5.2. The following sub-actions can be set in combination with Send / Hold / Approval Request.

Add Bcc: Can be set in combination with Send / Hold / Approval Request.
It will send with the addresses preconfigured to Bcc.
Up to 5 addresses can be set. If setting multiple addresses, enter each address on a separate line.

__________Bcc___.png

Attachment File: Among the choices in this menu, the following options are displayed only for customers whose functionality is enabled.
"Sent using HENNGE Secure Download (HSD)", "Sent using HENNGE Secure Download for Box (HSDB)"
Can be set in combination with Send / Hold / Approval Request.
Choose one of the following:

・Sent using HENNGE Secure Download (HSD): Attachment files will be sent using the HENNGE Secure Download functionality.

・Sent using HENNGE Secure Download for Box (HSDB): Attachment files will be sent using the HENNGE Secure Download for Box functionality.

・Send with ZIP encryption: Attachment files will be sent with ZIP encryption.
If you choose "Send with ZIP encryption," the encrypted file name and encoding method must be set in the encryption type definition.
Create an Encryption Type Definition

・Send as is: Attachment files will be sent as is.

20230406________.png

Additionally, if you check [Test Mode], the current rule configuration will remain the same, and you can confirm whether the rule is applied as intended under the specified conditions.
For information about Test Mode, refer to the following article:
Using Test Mode to Validate New Rules

_________________.png

3.6. Notifications

If you check this, a notification will be sent to the sender indicating that the action (Send / Hold / Approval Request / Delete) has been applied.
For information on creating notifications, refer to the following article:
Creating Notifications (Filters)

3.7. Rule Conditions

Set the conditions under which the actions (Send / Hold / Approval Request / Delete) and sub-actions (ZIP encryption / HENNGE Secure Download, etc.) previously set will be applied.

3.7.1. Rule Conditions

Choose one of the following:

________________.png

 

All of the following conditions match (AND): The rule will be applied only if all defined conditions are met.

Any of the following conditions match (OR): The rule will be applied if at least one of the defined conditions is met.

All (no conditions set): Select this option if you want to apply the rule to all emails without setting conditions.

 

3.7.2. Add

If you choose "All of the following conditions match (AND)" or "Any of the following conditions match (OR)", add conditions.

13.png

 

3.7.3. Target

Targets can be set in combination from the following:

_____________.png

To: To header.

Cc: Cc header.

Bcc: Bcc header.

※ Only emails addressed to Bcc can be detected for the Bcc header.

To / Cc: To and Cc headers.
※ If you select "To (宛先)", "Cc", or "To / Cc", radio buttons will appear to choose whether to target "メールアドレス" (email addresses) or "ドメイン部" (domain parts).

Subject: Subject header.

Any Header: Specify the header to search in. A space to enter the header will be displayed, so enter the header you want to target, such as "Content-type."

Envelope Recipient: Envelope To address. This is the address from the RCPT TO: in SMTP communication.

Envelope Sender: Envelope From address. This is the address from the MAIL FROM: in SMTP communication.

Body (including attachments): Targets the email body and attachments.
Note that for the search target of attachment files, refer to the following article:
Search Target for Filter Rule "Body (including attachments)" Condition

Attachment File: Targets only attachment files.

 

3.7.4. Conditions

Choose one of the following conditions:

Exists: The action will be executed if some value exists for the specified target.

Does not exist: The action will be executed if no value exists for the specified target.

Matches regular expression: The action will be executed if the value of the specified target matches the regular expression condition and matches a certain number of times or more.

Does not match regular expression: The action will be executed if the value of the specified target does not match the regular expression condition and matches a certain number of times or more.

 

3.7.5. Target Options

If you choose "To", "Cc", or "To/Cc" as the target, you can set the following options:

Exists in address group: The action will be executed if the email address included in the specified target exists in a specific address group. The specific address group can be selected from "Pattern."

If you choose "Attachment File" as the target, the following options will be displayed:

Exists: The action will be executed if attachment files exist.

Does not exist: The action will be executed if attachment files do not exist.

Regular Expression for File Name: The action will be executed if the search string is found in the file name of the attachment files.

Content-Type specification: The action will be executed if the search string is found within the content type of the attachment files.

At least one is password protected: The action will be executed if one or more attachment files are password protected.

All are password protected: The action will be executed if all attachment files are password protected.

※ In HENNGE Email DLP, it is possible to detect password protection of common business documents.

・The extensions supported by us are {.zip / .docx / .doc / .xlsx / .xls / .pptx / .ppt / .pdf}.

・For extensions other than those mentioned above, please use them after pre-verification.

・For PDF files and ZIP files, the file format compatibility may be affected by the application or environment used to create the files, and there may be cases where they are not detected as "password protected."

 

3.7.6. Pattern

Set patterns for the specified conditions.

Enter search strings for the patterns in the "Pattern" field.
If you set "Matches regular expression" or "Does not match regular expression" in "Conditions," you can use the regular expressions defined on the following Help Center page for searching.

Reference: Setting Rule Conditions with Regular Expressions
Reference: Syntax of Regular Expressions

If you choose "Exists in address group" in "Conditions," you can select an address group. Enter the search string.

3.7.7. Frequency

Enter the number of times that the pattern in "Pattern" matches or does not match (depending on "Conditions").
The action will be executed if the pattern matches the specified number of times or more in "Conditions."

3.8. Message Size

Specify the size of the email message to which you want to apply the rule.
This rule will be applied when the message size is larger than the specified size. (This is determined not only by the size of attachments but also by the overall size of the email)
※ "Rule Conditions" and "Message Size" are compound conditions, and actions will be executed if both conditions match.

          
Was this article helpful?