Response filters and data loss prevention signatures

When you configure a response filter in the Network IPS Local Management Interface for a data loss prevention (DLP) user-combined or user-defined event, you see different signatures than the ones in the DLP lists.

You can add only eight user-combined events and only eight user-defined events. The first user-defined or user-combined event in the applicable DLP lists displays in the response filter list as Content_Analyzer_User_defined_0 or Content_Analyzer_User_combined_0. The second event in the applicable DLP lists displays in the response filter list as Content_Analyzer_User_defined_1 or Content_Analyzer_User_combined_1. Match the signature to its corresponding sequential event when you assign a response filter to a DLP user-combined or user-defined event.
Table 1. DLP event signatures and their corresponding event
User-combined or user-defined event in the list User-defined event signature User-combined event signature
First event Content_Analyzer_User_defined_0 Content_Analyzer_User_combined_0
Second event Content_Analyzer_User_defined_1 Content_Analyzer_User_combined_1
Third event Content_Analyzer_User_defined_2 Content_Analyzer_User_combined_2
Fourth event Content_Analyzer_User_defined_3 Content_Analyzer_User_combined_3
Fifth event Content_Analyzer_User_defined_4 Content_Analyzer_User_combined_4
Sixth event Content_Analyzer_User_defined_5 Content_Analyzer_User_combined_5
Seventh event Content_Analyzer_User_defined_6 Content_Analyzer_User_combined_6
Eighth event Content_Analyzer_User_defined_7 Content_Analyzer_User_combined_7