Create repeat offender identification rules

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read

    • Create repeat offender identification rules to identify users who repeat the same issue multiple times.

    Before you begin

    Role required:
    • sn_dlir.admin
    • sn_dlir.analyst and sn_dlir.analyst_read

    About this task

    You can identify repeat offenders by using certain rules or criteria. Data Loss Prevention Incident Response provides fields that you can use to identify repeat offenders.

    Procedure

    1. Navigate to All > DLP Administration > Repeat offender identification rules.
    2. Click New.
    3. On the form, fill in the fields.
      Table 1. Repeat offender identification rules form
      Field Description
      Name Name of the repeat offender identification rule.
      Execution order Priority of the repeat offender identification rules. This field indicates the order in which the repeat offender identification rules are executed when two or more rules share the triggering conditions.

      The repeat offender identification rule with the lowest number has the highest priority.

      To set the order of operation, enter a value. For example, 100, 200, or any other number. The default value is 100.
      Short description Unique description for this repeat offender identification rule.
      Condition Conditions in the condition builder that are based on the DLP incident table. You can select any of the incident fields for building the trigger condition for the repeat offender identification rule.

      Use the lists and fields of the conditions builder to set the filters for the first row.

      To add more conditions, click AND or OR:
      • If AND is selected, all conditions must be matched.
      • If OR is selected, either condition can be matched.

      To set a second filter condition, click New Criteria.

      Note:
      The conditions in the condition builder are case sensitive.
      DLP fields Identify repeat offenders based on the required DLP fields. Select the DLP fields that you want to use from the Available column and move them to the Selected column.

      For example, you can select theFile Name and File Owner fields from the Available column and move them to the Selected column. Then, you can identify the repeat offenders based on the File Name and File Owner fields.

      Thus, if a user breaches the repeat offender threshold (number of violations and duration), and if the same user matches with the DLP fields, then that particular user is identified as a repeat offender.
      Number of violations Define the repeat offender threshold limit value. After the user repeats the same actions and breaches the specified number of violations, the user is identified as a repeat offender.
      Duration (in days) Define the repeat offender threshold limit in the form of days. After the user repeats the same actions and breaches the threshold duration, the user is identified as a repeat offender.
    4. Click Submit.