Quantcast
Channel: Symantec Connect - Products - Discussions
Viewing all articles
Browse latest Browse all 2689

Using Regular Expression to find the first time something appears, then match string, but not the second or third time....

$
0
0
I need a solution

I am working with DLP V14.6.  The program is reading emails leaving a workstation at the workstation.  (before exchange).  I am looking for a specific keyword that appears in the subject line of the email [encrypt].  This keyword, if it appears in the first subject line, will trigger rules to encrypt the email later in the email message path at the encryption appliance. 
The second and third subject lines that contain the keyword would not be picked up by the encryption appliance. 
If someone edits a reply and removes the keyword from the sending subject line, the message wont encrypt at the encryption appliance. 
The goal is to detect email messages with SSN/CCN data and block it at the sender (before exchange) unless the message is going to be encrypted. 
Today we block at our encryption device, but its not 100% accurate.  We believe we will get better SSN/CCN detection at the workstation using DLP 14.6.  DLP 14.6 can also check to see if the user is in an AD group allowing encryption. 
Our goal is to block messages at the workstation before it gets to Exchange or the encryption appliance. We have not deployed DLP E-mail prevent.  We are trying to use the endpoint agent.  
My current regular expression will still allow the message to be sent when [encrypt] appears in the second or third Subject line.  It just has to appear in the email. (?i)(Subject\:\s).*(\[|\{)encrypt(\]|\]\}).  The (?i) makes it case insensitive. 
For this to work, the [encrypt] can be anywhere in the first subject line and encryption will apply.  We also allow for {encrypt}, or [encrypt].
The example below, if it contained SSN/CCN data would leave the workstation and be passed to our exchange, and encryption appliance.  Today the encryption appliance would block the message, but we want defense in depth.  
We want to stop this message with a regular expression and rules at the endpoint.  It has to read only the first subject line and look for the [encrypt].  
I appreciate any feedback.
Below is sample text.  

From: Doe.John 
Sent: Friday, March 16, 2018 9:27 AM
To: 'john.doe@gmail.com'
Subject: TESTING 

TESTING
[encrypt]
John Doe
Company
 
From: Doe.John
Sent: Friday, March 16, 2018 9:27 AM
To: 'john.doe@gmail.com'
Subject: re: [encrypt] TESTING [encrypt]

TESTING
John Doe
Company

0

Viewing all articles
Browse latest Browse all 2689

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>