In this example, you will create a custom report that keeps track of outgoing messages that are likely to result in a loss of sensitive data. The report will monitor messages containing the words "Top Secret" or a credit card number. It will also record the number of times a message is sent with an attachment entitled Internal Financial Report.pdf.
Marks for custom reports are not logged unless you an add an action for each value that you want reported. You can add a policy mark action to an existing rule, or, if necessary, create a new rule. Although this example shows the lines that you must insert in the policy.siv file, you can also modify the policy as necessary using the Policy Constructor. For more information, see "Editing the Policy" in the Manager Reference. This custom report requires the following rules:
# attr NAME=Log messages containing TOP SECRET keywords if pmx_phrase :attachments :scanall :contains ["Top Secret"] { pmx_custom_mark "dlp_keyword_report" "Top Secret"; } # attr NAME=Log messages that contain the PDF named Internal Financial Report if pmx_attachment_name :tft :contains ["Internal Financial Report.pdf"] { pmx_custom_mark "dlp_keyword_report" "Financial Reports"; } # attr NAME=Log messages that contain a Credit Card if pmx_credit_card { pmx_custom_mark "dlp_keyword_report" "Credit Card Numbers"; }
Notice that the last line of each rule contains a pmx_custom_mark action.
The key that you enter in the next step must match this key (dlp_keyword_report) exactly. Each action has a unique value (for example, "Credit Card Numbers"), which must also exactly match a corresponding entry you will enter in step 2.
Now that you have created the necessary logic in the PureMessage policy, you must use the pmx-reports-custom tool to register the report. This must be done at the command line, as the PureMessage user ("pmx" by default).
Top Secret Financial Reports Credit Card Numbers
pmx-reports-custom add --key dlp_keyword_report --title "Data Loss Prevention" --file /tmp/DLP_Report
The --key must exactly match the key specified in the corresponding policy marks. The --title is the name of the report that will be displayed on the Reports page. The --file is the path to file containing the report values.
The --key that you assign must be lowercase. If not, you are prompted to change it. You are then prompted to run pmx-profile sync-to-db --force --resource=reports_config.
If you want to modify the values of the report, edit the file (in this case, DLP_Report), and run pmx-reports-custom update. For a complete list of commands see the pmx-reports-custom man page.
This step is required to update the database and any edge servers in your deployment:
pmx-profile sync-to-db --force --resource=reports_config
To add the changes performed in the previous steps, you must restart the mail filter. At the command line, run:
pmx-milter restart
To ensure that the custom report is working as expected, process some messages that are designed to trigger pmx_custom_mark actions, and then gather new data for the message log.
pmx-reports-consume-message-log --v2
Use the pmx-reports-mailer-v2 command to run and mail custom reports.
pmx-reports-mailer-v2 --custom "Data Loss Prevention" --mailto me@example.com
For more information, see "Managing Scheduled Jobs" in the Manager Reference.