What Are the Differences Between the “same” and “any” Components in Symantec DLP Rules?

By November 20, 2020Symantec DLP Enforce
Run another search:
You are here:
< Back

A rule can have multiple parts to it. On creating a rule, you can add conditions under “Also Match”. By default, these conditions must both match in the “same” component. A component can be the Envelope, Body or Attachment of a message. Each attachment is considered a different component.

The “any component” setting allows a match when one part is in the body and another is in the attachment. The “same component” setting requires the two parts to be in the same component.

For example, if you are matching for last name and social security number, if “any component” is selected, an incident is created if the name is in the body and the social security number is in an attachment of an e-mail. If the same component is selected (for both), then both last name and social security numbers must be in the same component. In this case, if the social security number is in one attachment and the last name is in another attachment, the violating data are in different components, which will not trigger a match.

Note that each match condition includes a component setting. When using multiple conditions, be aware of how the component settings of each condition will interact. In the above example, if you select “same component” for the SSN and “any component” for the last name, a match will be triggered when either item is in either component. The reverse is also true (if “any component” is selected for SSN, and “same component” for last name). However, with three or more match conditions, the situation becomes more complex. You should carefully review these settings for rules with many match conditions, to be sure that you are getting the matches that you intend.

Was this article helpful?
0 out Of 5 Stars
5 Stars 0%
4 Stars 0%
3 Stars 0%
2 Stars 0%
1 Stars 0%
How can we improve this article?