Re: Cisco ESA DLP Regex

m.azlan · ‎01-08-2021

Hi All,

I have tried to create custom DLP policy for Malaysian ID, for example, 889922-01-1234 or 881243 01 1234 and the regular expressions that I created as below. Its should be denied and drop when someone sent out an email that content ID. but it's not worked as expected. Do I miss something?

\d{6 }-\d{2}-\d{4} refer to 889922-01-1234

ESA version 12.5.1.037

I followed the guide from these notes > https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_010001.html#con_1305630

Libin Varghese · ‎01-08-2021

Just based on testing the regex itself using online tools such as regex101.com, unless its a typo with an additional space.

\d{6 }-\d{2}-\d{4} does not match 889922-01-1234

\d{6}-\d{2}-\d{4} matches 889922-01-1234

If that was just a typo in the post, the regex appears to be correct otherwise and we'll need to rely on confirming if the DLP policy is enabled correctly for outgoing emails and testing different email contents, etc.

Regards,

Libin

m.azlan · ‎01-13-2021

Hi Libin

Thanks for your suggestion, I will check again the configuration and regex.

m.azlan · ‎01-14-2021

@Libin Varghese

I have checked, regex is correct and policy are applied. still, not working. is it a bug? run version 11 no issues at all.

cbilliot · ‎01-14-2021

Creating your custom DLP policy is just one part of the process.

Have you created the outgoing content filter?

Maybe you can find guidance here: Best Practices Guide for Data Loss Prevention and Encryption - Cisco

Good luck!