Inquiry about the behavior of the “Apply context rule for” option in Context Detection

Before posting, I would like to provide the following details for more accurate assistance:

1. What version are you using? (OS, client, server, etc.)
→ We are currently using Windows and macOS.

2. What settings/configuration do you currently have in place?
→ We are currently testing the Context Detection feature. Specifically, we are trying to understand the exact behavior of the “Apply context rule for” setting.

3. What unexpected behavior are you seeing?
→ Based on our understanding:

• All items in scanned document: the policy should apply only if all specified items in the Included Context are present.

• At least one item in scanned document: the policy should apply if at least one of the specified Included Context items is present.

However, in our testing:

• When the Included Context condition is set to OR, the policy seems to apply as long as at least one item is present, regardless of the Apply context rule for setting.

• When the Included Context condition is set to AND, the policy applies only when all specified items are present, as expected.

This makes us unclear about the actual purpose and behavior of the Apply context rule for option.

We suspect there may be a misunderstanding on our side, so we would appreciate it if you could provide a detailed explanation of how this feature works.

4. What have you tried so far?
→ We have been continuously testing different configurations to reproduce and understand the behavior.

Good question.

The Included Context: AND | OR switch controls how the context keywords are applied when two or more context dictionaries are selected. AND requires a keyword from each dictionary to be present. If you select just one dictionary, it does not perform an AND on all the keywords within that dictionary. (I.e., the switch does nothing in the case where there is only one dictionary.)

For example, I created two dictionaries: ‘SSN1’ with only the keyword ‘SSN’ and ‘SSN2’ with only the keyword ‘Social Security Number’. My policy had ssn/us with a Threat Threshold of 2. My Included Context had ‘Custom Content/SSN1’ AND ‘Custom Content/SSN2’. My context rule had Proximity=50 (important later).

This was blocked:

SSN
Social Security Number
123-45-6789
234-56-7890

This was not blocked:

SSN
123-45-6789
234-56-7890

I then configured just one context dictionary combining both keywords ‘SSN’ and ‘Social Security Number’. Then both of the above documents were blocked. (Both keywords from the same dictionary were not required.)

The Apply context rule for switch controls how the contextual rule is applied to multiple threats (e.g. SSNs) within the same document.

I now put padding characters (>50) between the two SSNs, both with context, like this:

SSN
Social Security Number
123-45-6789

ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789

SSN
Social Security Number
234-56-7890

and the same, but with context near only one of the SSNs, like this:

SSN
Social Security Number
123-45-6789

ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789

234-56-7890

With All items in scanned document, only the first document is blocked–the ‘234-56-7890’ in the second document has no context, so it is not counted and the document does not reach the threat threshold of 2. With At least one item in scanned document, both documents are blocked–having found ‘123-45-6789’ in context, it then counts every SSN numeric pattern regardless of context.

I hope this was clear!

Hello, @AaronDunn

Thanks to your explanation, I now fully understand.

Thank you for the detailed explanation!