Data-in-Motion Rules

Abstract

Configure Data-in-Motion Rules (under Data Security) for Endpoint DLP.

Data-in-motion Rules define the DLP policies that govern how sensitive data is handled when it moves across endpoints. These rules specify what data patterns to detect, which applications and destinations to monitor, and what actions to take (allow, block, notify) when sensitive data movement is detected. Rules can be created, edited, cloned, enabled/disabled, deleted, and prioritized.

For more information, see Create data-in-motion rules.

Users access Data In Motion Rules by going to ModulesData SecurityEndpoint Data-in-Motion Rules.

Permission

Description

Recommended Roles

None

Users cannot access the Data-in-motion Rules page.

  • SOC Tier-1 Analyst: DLP rule management is outside triage responsibilities.

  • IT Admin: DLP rule management is outside the IT infrastructure administration scope.

View

Users can navigate to the Data-in-motion Rules page and see all configured DLP rules in the grid view. They can view rule names, priorities, statuses (enabled/disabled), target applications, conditions, actions, and inspect rule details.

  • SOC Tier 2 and 3 Analysts: May need to review DLP rules when investigating cases/issues,

  • Threat Hunter: May need to understand DLP rules to correlate with threat hunting findings

View/Edit

Users have full control over Data-in-motion rules. They can create, edit, duplicate, delete, and enable/disable rules. They can also change rule priorities. All context menu actions are fully accessible.

  • Security Engineer: Primary responsibility for creating and maintaining DLP rules.

  • Security Admin: Full administrative access to all DLP configurations.