Hello,
I would like to ask you if you can re-desing the processing of the rules that are doing the exceptions from monitoring to always happen even before the extraction phase on the DLP agent. I have realized that almost all the filters are applied too late, within the incident generation phase, which has a performance impact on the local DLP agent and PC.
For example, I see that following conditions from the exceptions' processing can happen first to save the time - all the simple atomic, with attributes known from outside the client:
* all user and group based conditions, similat for sender and recipient rules (email, web)
* all file extension, size, name conditions
* all source and destination file path (IP, UNC, local) conditions
* all IP and domain conditions
* protocol used conditions
* device class conditions
* endpoint location conditions
I think, that any content extraction and content detection shall happen only after all the exceptions are completelly evaluated first.
Thank you,
Pavel