Create end user lookup rules

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read

    • You can create and configure end user lookup rules and assign the DLP incidents to the respective end users based on those rules.

    Before you begin

    Role required:
    • sn_dlir.admin - Create, edit, and delete.
    • sn_dlir.analyst and sn_dlir.analyst_read - View (read-only).

    About this task

    The DLP admin defines these end user lookup rules to automatically assign the end users to DLP incidents using only the end user field. The DLP end user lookup rule enables you to assign the end user on DLP incidents based on End user identifier, Custom attributes, or Script.

    Procedure

    1. Navigate to All > DLP Administration > DLP End User Lookup Rules.
    2. Click New.
    3. On the form, fill in the fields.
      Table 1. DLP End User Lookup Rule form
      Field Description
      Name Name for the end user lookup rule.
      Active Option to indicate whether the end user lookup rule is active.
      Execution order The end user lookup rule priority. This field indicates the order in which the end user lookup rules are executed when two or more rules share the triggering conditions.

      The end user lookup rule with the lowest number has the highest priority. To set the order of operation, enter a value. For example, 100, 200, 300, and so on.

      The default value is 100.
      Description Unique description for the end user lookup rule.
      Condition Conditions in the condition builder. These conditions are based on the DLP incident table. To build a condition for the end user lookup rule, select any of the incident fields.

      Use the lists and fields of the conditions builder to set the filters for the first row.

      To add more conditions, click AND or OR.
      • If AND is selected, all conditions must be matched.
      • If OR is selected, either condition can be matched.

      To set a second filter condition, click New Criteria.

      For example, you can set the conditions for this end user lookup rule by selecting the condition as Integration Source, contains, Symantec.

      Note:
      The conditions in the condition builder are case sensitive.
      Lookup end user by using Option to lookup end user by using Incident field or Script.
      End User Identifier The end user identifier of the DLP incident. This field appears when Incident field is selected from the Lookup end user by using field. You can select an end user identifier from the following:
      • Data owner email
      • Destination
      • File created by
      • File modified by
      • File owner
      • FTP user name
      • Sender
        Note:
        The above listed end user identifiers are configurable using the system property sn_dlir.assignment.fields. For more information, see Configure advanced settings.
      • Custom user from incident
      Custom attribute Option to specify a custom attribute from the incident that has the reference to a user. This field appears only when The a is selected from the End User Identifier field.
      Script You can use the script editor to customize and format the field values during the end user lookup rule creation. For example, you can use the email address field to identify the end user.
      The following example shows an end user lookup rule with the name 'Symantec'. The condition builder requires the 'Integration Source' as 'Symantec'. The Lookup end user by using option is set to 'Incident field', and End user identifier option is set to 'File Modified by'.
      Figure 1. DLP End User lookup rule
      Configure end user lookup rules
    4. Click Submit.
      You also have an option to select one or more end user lookup rules and reapply it on all existing DLP incidents.
    5. To reapply an end user lookup rule on all existing DLP incidents, click Reapply.