DLP - Rules

Here you can configure the rules for DLP-triggering.
For general settings and their descriptions, see here.

In case some important company files change seldom or do not change at all, it makes sense to grab "file hashes" and not to fill the sensitivity list manually. For details see "File hashes".

It is also possible to mark important documents using hidden marks (you have to use special utility), to protect them or control sending of these documents (or their parts) outside the company.

How to fill in the block "sensitivity":
- each new elements of the list must start with the new line;
- if an accurate coincidence is required it is possible to specify a word or a phrase without prefixes;
- if inaccurate word search is required it is possible to specify single words (not phrase!) with prefix "~";
Warning! Language morphology features are works only for Russian and English languages! Therefore, do not use the tilde "~" symbol before the words from other languages!
- it is possible to use following templates: @CREDITCARD@ (bank card number), @PHONE@ (phone number), @EMAIL@ (e-mail-address), @FACE@ (face photo, see also "DLP: OCR" and "OCR on server");
- own templates based on regular expressions;
- marks, with which documents can be marked (the mark must be enclosed between the characters '#': #mylabel123#, only English alphabet letters and numbers are allowed, case matters!).

There are also situations when different elements of the "sensitivity" block require different reactions. For example, if less than five passport numbers are found in a document, then do not consider this as a threat at all and do not generate an event, but allow blocking of file transfer only if there are 50 passport numbers or more. But at the same time, the situation should be different for credit card numbers: triggering and blocking when at least one is found.
For such cases, it is possible to enter threshold values for each list element (two numbers separated by commas after the name: the first is the detection threshold, the second is the blocking threshold).
Please note that blocking in this case will only occur if the corresponding blocking settings are enabled in the settings at this page!
An example for the above case (assuming that the regular expression @passport@ is created):
@passport@,5,50
@CREDITCARD@,1,1
If threshold values are not specified, (1,1) is assumed as the default.
For digital document marks this option has no meaning and implies (1,1).

If you need to prohibit sending files by format, and not by text inside the file, we recommend that you refer to the settings "DLP by file formats"

Option "Search at most N-matches for each regular expression": introduced for optimization, so as not to waste time searching for expressions if a certain number of them have already been found. Specify 0 to remove restrictions.

Additional rules for DLP-triggers
Additional DLP triggers are present in this block.
For file group-oriented values, -1 can be set to disable the option.
"Additional" means that these rules will supplement the sensitivity list, but will not overlap it in an "AND" manner.
It should also be noted that the option for the number of files output during copy operations in Explorer may not always work, since Windows Explorer often breaks the copy operation into copying one file at a time, and accordingly, it is not always possible to know the original number of selected files!

v11.1.3476 (build: Jan 12 2026)
Introduction +Software suite structure +Software suite installation +Software suite uninstall +Software suite update -Global settings Database users -Software suite settings General settings description +Server settings +Client settings (computer) -Client settings (user) Common settings Monitoring - Face recognition Monitoring - User time Monitoring - Applications-sites Monitoring - Keylogger Monitoring - Clipboard Monitoring - Screenshots Monitoring - Screenshots (extra) Monitoring - Printing Monitoring - File operations Monitoring - Sending files Monitoring - Mail Monitoring - Chats-calls Monitoring - Shadow copy Monitoring - Black box Monitoring - Geolocation Monitoring - Autorecording Restrictions Threats DLP - Common settings DLP - Quarantine DLP - Rules DLP - By file formats DLP - OCR Critical apps-sites Atypical behavior Events Events (video) Events (extra) Outsourcing 2FA (employee) Quarantine-files Groups Company structure Work schedules Dossier of employees Sync with AD Risk analyzer Report templates File hashes Tariffs List of users Work with DB SQL-console Journal +Other +FAQ +Technical support	DLP - Rules Here you can configure the rules for DLP-triggering. For general settings and their descriptions, see here. In case some important company files change seldom or do not change at all, it makes sense to grab "file hashes" and not to fill the sensitivity list manually. For details see "File hashes". It is also possible to mark important documents using hidden marks (you have to use special utility), to protect them or control sending of these documents (or their parts) outside the company. How to fill in the block "sensitivity": - each new elements of the list must start with the new line; - if an accurate coincidence is required it is possible to specify a word or a phrase without prefixes; - if inaccurate word search is required it is possible to specify single words (not phrase!) with prefix "~"; Warning! Language morphology features are works only for Russian and English languages! Therefore, do not use the tilde "~" symbol before the words from other languages! - it is possible to use following templates: @CREDITCARD@ (bank card number), @PHONE@ (phone number), @EMAIL@ (e-mail-address), @FACE@ (face photo, see also "DLP: OCR" and "OCR on server"); - own templates based on regular expressions; - marks, with which documents can be marked (the mark must be enclosed between the characters '#': #mylabel123#, only English alphabet letters and numbers are allowed, case matters!). There are also situations when different elements of the "sensitivity" block require different reactions. For example, if less than five passport numbers are found in a document, then do not consider this as a threat at all and do not generate an event, but allow blocking of file transfer only if there are 50 passport numbers or more. But at the same time, the situation should be different for credit card numbers: triggering and blocking when at least one is found. For such cases, it is possible to enter threshold values for each list element (two numbers separated by commas after the name: the first is the detection threshold, the second is the blocking threshold). Please note that blocking in this case will only occur if the corresponding blocking settings are enabled in the settings at this page! An example for the above case (assuming that the regular expression @passport@ is created): @passport@,5,50 @CREDITCARD@,1,1 If threshold values are not specified, (1,1) is assumed as the default. For digital document marks this option has no meaning and implies (1,1). If you need to prohibit sending files by format, and not by text inside the file, we recommend that you refer to the settings "DLP by file formats" Option "Search at most N-matches for each regular expression": introduced for optimization, so as not to waste time searching for expressions if a certain number of them have already been found. Specify 0 to remove restrictions. Additional rules for DLP-triggers Additional DLP triggers are present in this block. For file group-oriented values, -1 can be set to disable the option. "Additional" means that these rules will supplement the sensitivity list, but will not overlap it in an "AND" manner. It should also be noted that the option for the number of files output during copy operations in Explorer may not always work, since Windows Explorer often breaks the copy operation into copying one file at a time, and accordingly, it is not always possible to know the original number of selected files!
© KICKIDLER DLP