How to test Classification and Tagging and Test Evidence by serverku

How to test Classification and Tagging and Test Evidence

We can also try to verify if our Classification and Tagging policy has been applied properly or not. For this we make use of the DLP Diagnostic tool , we can download and set it up by following this post already shared.

Go to the TOOLS tab in the Mcafee DLP Diagnostic tool.

SCENARIO TO TEST

Suppose we have the following scenario. We want to tag our documents with the following keywords "finance", "tender", "contract". We want to ensure that if any documents that contain these keywords are used or sent the user activity is monitored by DLP and we can set to block, or monitor or store evidence or ask user for the justification. In order to achieve this mentioned scenario, below are the steps that we will perform. These steps will show us how to set up the necessary tagging rules and classification policy based on the Dictionary that has these keywords("finance", "tender", "contract").

We will then apply the policy to the user and verify at the client machine using the Mcafee DLP Diagnostic tool that the files have been successfully tagged according to the rules we have set.

Lets suppose that we have a classification and tagging rule applied which is setup based on the following classification rule.

Setting up Classification Rule

Click Classification Rule and press to add a New Content Classification Rule

click add to add new content category, or if you have already created one , it will show here, just select it

Now , we will tell how to create a custom Dictionary like we have used in the screenshot above.

Setting up Custom Dictionary with the keywords

This way we have created a Dictionary, which has the keywords "finance", "tender", "contract".

Setting up Tagging Rule

We will select Application based tagging rule as we want all the office documents like MS WORD, MS EXCEL etc that contain the custom keywords to trigger the Protection rules in DLP.

We have selection application definition, Email Client and Microsoft Office Applications, this means that all these applications that will when access any document or anything with the keywords "finance", "tender", "contract" will be tagged.

we will show what we have selected in for example MS Office Applications, you need to check the MS office Applications and click Edit.

Click Original Executable File Name and check all the office applications or any of those that you wish to monitor

Here we are done with the Tagging rule :))

Now we need the DLP to crawl the end user machine, crawl all the files that have these keywords and tag them with respect to our rules. How to set DLP to perform client machine discovery, below are the steps.

Setting up Mcafee Host DLP Client discovery

Go to the Mcafee ePO and click Data Protection, DLP Policy, once you are on the main screen, click on the Agent Configuration and select Edit Global Agent Configuration

Click Discovery Settings Tab and click File System Discovery as shown in the image below

Wake up the agent in order to apply the policies (I am not sure if this is mandatory step at this point, as crawling should automatically start as its configured to run at the specified time)

To check if the Discovery has started on the client machine or not. Go to the System Tree and click on the selected PC/System where you want to check if the discovery has started or not.

click on products tab as shown and click Data Loss Prevention as highlighted

Scroll down till you can see the crawling information

when your discovery will be running , you will see status running instead of stopped , mine is showing that discovery has been done and 96104 files have been crawled

now we are done, we will apply the Mcafee Host DLP Protection Rule

Setting up Mcafee Host DLP Protection Rule

We will create a new Application Protection Rule

NOW COMING BACK TO THE MAIN TITLE OF THIS POST, HOW TO TEST, WE WILL USE THE MCAFEE DLP DIAGNOSTIC TOOL.

we created a test file called Contact.txt and entered the keywords "finance", "tender", "contract" etc. Since we have applied the Application Protection rule, as soon as i double click to open the file, Mcafee Host DLP showed the notification message that the file is being monitored. Now we want to test it through the DLP Diagnostic tool.

We open the Mcaffee DLP Diagnostic tool and click on the Tools Tab

Under Test Classification and Tagging, we will click browse to upload the file and test if the tagging is performed or not.

Hope this detailed and step by step tutorial helped many of how to setup Mcafee Host DLP Content Classification rule, Tagging Rule, Dictonary , File System Discovery/verification and Protection Rule.

Thanks :)