Morning,
A bit of background. looking quickly through all the DLP incidents in my console it seems we have a lot of people sending emails from their company official address to their either other company address ie if they are SI or contractors eg. Detecting Joe.Bloggs@company.com to Joe.Bloggs@otherdomain.com or a better example joe.bloggs@mycompany.com to joe.bloggs@ibm.com or accenture, pwc, delloitte etc etc etc.
There are also a fair few going to joe.bloggs@webmail.com (eg gmail,hotmail,outlook etc). Now they are all obviously being detected by DLP by various different policies or they would not show up in the console in the first place.
My question
Is there a way within DLP to create a detection/response rule that will detect specifically these types of emails and longer term I would like to block them. Yes I know i could block them using the policies that are detecting them in the first place but those have at the moment way to many false positives to think about enabling blocking at this time. It will be a long maturity journey till I have those sufficiently tuned.
They are easy to spot if manually looking at the alerts but I wanted a smarter method ideally automated of doing this.Is there are way using REGEX any help most appreciated.
Kind Regards,
Jeremy