Creating Data Leak Protection Policy Rules

Data Leak Protection (DLP) helps protect your organization's data from potential data breaches or data ex-filtration transmissions. Data Leak Protection can scan emails and text messages posted on cloud application email and storage platforms, and detect data patterns that should not be shared with unauthorized persons or targets. For more information, see Using Data Leak Protection.

To create a DLP policy rule

1. In the Rule Name field, enter the name you want to use to identify the rule.
2. From the Mode dropdown list, select the mode in which you want the DLP policy rule to operate:
   • Monitor only
   • Detect and Prevent (cloud application storage only)
   • Protect (Inline) (email only)
3. In the Scope section, either:
   • Select All users and groups (all licensed users) to have the policy rule either apply to all users.
   • In the Specific users and groups list, select the specific users or user groups to which the policy should apply or be excluded from being applied.
4. In the DLP Criteria section:

   1. From the DLP Rules list, select the detection rules you want applied:

      • PII
      • PHI
      • Financial
      • Encrypted Content
      • Access Control
      • Intellectual Property
      • PCI
      • Resume
      • SOX
      • HIPAA

      For more information about the predefined DLP policy rules, refer to Predefined Data Leak Protection Policy Rules.

   2. From the Sensitivity list, select the sensitivity (based on the hit count) to be used to apply the rules.
   3. Select Skip internal items to have the rules not applied to items not shared with external users.

   Depending on the type of cloud application and the Mode, you may see a different set of options in the Advanced section.

5. In the Advanced > Actions section:

   1. Select Send files with sensitive data to vault to send the affected files to a secure vault location.

      A vault is a secure location accessible only to users with specific access privileges (such as a data privacy team). It is a different location that the quarantine area defined in your Cloud App Security cloud application configuration.

   2. Select Alert admin(s) to notify administrators when a possible leak is detected.
      • Click the gears icon to modify the email message sent to administrators.
      • Click the users icon to select which administrators should receive the message.
   3. Select Alert file owner to notify the user sharing the file when a possible leak is detected.
      • Click the gears icon to modify the email message sent to the file owner.
   4. Select Quarantine drive files to quarantine detected files to the quarantine folder defined in your Cloud App Security configuration.
6. From the DLP Workflow list, select which action should be taken when a possible leak is detected:
   • Email is blocked. User is alerted and allowed to request a restore (admin must approve)
   • Email is blocked. User is alerted and allowed to restore the email
   • Email is allowed. Header is added to the email

   • Email is allowed. Encrypted by Microsoft

     This action is only visible and available if you subscribe to Microsoft encryption services and have encryption enabled.

     Encrypted Office 365 and Microsoft 365 Email support requires that you have the necessary Office 365 and Microsoft 365 or Exchange Online subscription level from Microsoft and a Cloud App Security Advanced license from SonicWall.

     For more information about using Encrypted Office 365 and Microsoft 365 Email support with Cloud App Security, refer to Working with Office 365 and Microsoft 365 Email Encryption.

   • Do nothing
7. In the Advanced > Alerts section:
   1. Select Send email alert to notify specific users when a possible leak is detected.
      • Click the gears icon to modify the email message sent to the file owner.
8. Click Save and Apply.