Understanding DLP Recommendations

DLP recommendations are suggestions generated by Speedscale's DLP engine that identify PII in your snapshots and propose transform chains to redact or replace that data. Understanding recommendations is crucial for creating effective DLP rules.

What are DLP Recommendations?

DLP recommendations are automated suggestions that:

• Identify PII: Point out where PII has been discovered in your snapshots
• Propose Solutions: Suggest transform chains to protect the identified PII
• Provide Context: Include metadata about the discovery (location, pattern type)
• Enable Action: Allow you to accept, modify, or ignore recommendations

How Recommendations are Generated

Recommendations are generated automatically when:

1. Snapshot Analysis: A snapshot is analyzed by the DLP engine
2. PII Discovery: PII patterns are identified in the snapshot
3. Transform Chain Creation: Appropriate transform chains are proposed
4. Recommendation Assembly: Recommendations are assembled with metadata

Recommendation Lifecycle

Recommendations follow this lifecycle:

1. Generated: Created during snapshot analysis
2. Active: Available for review and action
3. Accepted: Applied to create DLP rules or transform chains
4. Ignored: Marked as ignored (can be restored later)

Recommendation Types

Speedscale generates two main types of DLP recommendations:

DLP Redaction Recommendations

Purpose: Mask PII in production traffic before it reaches Speedscale cloud

When They Appear: After analyzing snapshots containing real PII from test environments

What They Recommend: Transform chains that will:

• Identify PII using extractors (JSONPath, headers, query params, etc.)
• Apply DLP transforms to redact the PII
• Replace PII with REDACTED- prefixed tokens

Outcome: When applied to production forwarders, PII is replaced with REDACTED- tokens before data leaves your infrastructure

Use Case: Protecting production data from exposure

DLP Test Data Recommendations

Purpose: Replace REDACTED- tokens with realistic test data for testing

When They Appear: After analyzing snapshots containing REDACTED- tokens from production traffic

What They Recommend: Transform chains that will:

• Identify REDACTED- tokens
• Discover the original data pattern (using pattern discovery)
• Generate appropriate test data matching the original pattern
• Replace REDACTED- tokens with test data

Outcome: Snapshots contain realistic test data instead of REDACTED- tokens, enabling effective testing

Use Case: Generating test data from redacted production traffic

Viewing Recommendations

Recommendations Tab in Snapshot View

To view recommendations:

1. Navigate to Snapshot: Open the snapshot containing discovered PII
2. Open Recommendations Tab: Click on the "Recommendations" tab
3. View Recommendations List: See all recommendations for the snapshot
4. Filter Recommendations: Use filters to find specific recommendations

Recommendation List Interface

The recommendations interface shows:

• Recommendation Cards: Each recommendation displayed as a card
• Type Indicators: Visual indicators for recommendation types
• Count Badges: Number of affected RRPairs
• Status Indicators: Active vs. ignored status
• Action Buttons: Quick actions (Apply, Ignore, View Details)

Recommendation Details and Context

Clicking on a recommendation shows:

• Pattern Type: What type of PII was discovered (email, SSN, etc.)
• Location: JSONPath location where PII was found
• Affected RRPairs: List of RRPairs containing this PII
• Transform Chain Preview: Preview of the proposed transform chain
• Impact Assessment: Estimated impact of applying the recommendation

Understanding Recommendation Metadata

Each recommendation includes metadata:

• Recommendation ID (recUUID): Unique identifier for the recommendation
• Recommendation Type: DLP redaction or test data recommendation
• Pattern Type: Type of PII pattern (email, SSN, credit card, etc.)
• Affected Count: Number of RRPairs affected
• Location: JSONPath location of the PII
• Timestamp: When the recommendation was generated

Recommendation Components

Recommendations consist of transform chains that include three main components: filters, extractors, and transforms. For comprehensive documentation on transforms and extractors, see the Transforms documentation.

Transform Chains

A transform chain is a sequence of operations that process RRPairs in this order:

1. Filters: Identify which RRPairs to process (e.g., filter by service name or URL path)
2. Extractors: Extract data from specific locations (e.g., HTTP headers, request body, query parameters)
3. Transforms: Apply transformations to redact PII or generate test data (e.g., dlp_json transform)

Each chain has a unique identifier and can be customized to target specific data patterns and locations.

Filters

Filters determine which RRPairs are processed by the transform chain. Examples include:

• Filter by service: service="user-service"
• Filter by URL path: http.url CONTAINS "/api/users"
• Filter by HTTP method: http.method == "POST"
• Combine conditions: service="payment-service" AND http.method == "POST"

Extractors

Extractors identify and extract data from specific locations in RRPairs. Examples include:

• HTTP Request: Extract from headers (http_req_header), query parameters (http_queryparam), or body (http_req_body)
• HTTP Response: Extract from response headers (http_res_header) or body (http_res_body)
• JSONPath: Use JSONPath expressions to extract specific fields from JSON data (e.g., $.user.email)

Transforms

Transforms perform the actual data modification. DLP recommendations use transforms like:

• dlp_json: DLP transformation for JSON data that redacts PII or generates test data
• Transforms can be chained together to perform multiple operations in sequence

For detailed information on all available extractors, transforms, and filter syntax, see the Transforms documentation.

Auto-Discovered vs. Manual Recommendations

Differences

Auto-Discovered Recommendations:

• Generated automatically by the DLP engine
• Based on pattern matching
• Can be bulk-processed

Manual Recommendations:

• Created manually by users
• Based on user knowledge and requirements
• More precise but require more effort

When to Use Each Type

Use Auto-Discovered When:

• You want to discover unknown PII
• You need comprehensive coverage
• You're starting a new DLP implementation

Use Manual When:

• You know specific PII locations
• Auto-discovery missed something
• You need custom transformations
• You want precise control

Converting Between Types

• Auto to Manual: You can modify auto-discovered recommendations
• Manual to Auto: Manual recommendations can inform auto-discovery
• Hybrid Approach: Combine both for best results

Managing DLP Recommendations

After reviewing recommendations, you need to decide which ones to accept and which to ignore. This section covers the complete workflow for managing recommendations.

Reviewing Recommendations

Before accepting or ignoring recommendations, it's important to review them carefully to understand their impact and relevance.

Active vs. Ignored Recommendations

Recommendations exist in two states:

Active Recommendations:

• Newly generated recommendations that haven't been acted upon
• Visible by default in the recommendations list
• Available for acceptance or ignoring
• Show impact metrics and details

Ignored Recommendations:

• Recommendations that have been marked as ignored
• Stored in a separate "Ignored" tab
• Can be restored if needed
• Retain their metadata for future reference

Switching Between Views:

1. View Active: Default view shows only active recommendations
2. View Ignored: Navigate to the "Ignored" tab to view ignored recommendations
3. Status Indicators: Visual indicators show recommendation status

Filtering and Searching Recommendations

The recommendations interface provides powerful filtering capabilities:

Filter by Recommendation Type:

• DLP Redaction Recommendations
• DLP Test Data Recommendations
• Show only specific types

Filter by Pattern Type:

• Email addresses
• Credit card numbers
• SSNs
• Phone numbers
• Other specific pattern types

Search by Location or Content:

• Search by JSONPath location
• Search by field name
• Search by pattern content
• Full-text search across recommendation metadata

Sort and Organize:

• Sort by affected RRPair count
• Sort by pattern type
• Sort by timestamp
• Group by pattern type
• Group by location

Understanding Recommendation Impact

Before accepting recommendations, consider their impact:

Number of Affected RRPairs:

• How many request/response pairs will be affected
• Indicates scope of the recommendation
• Higher count = broader impact

Data Volume Impact:

• Estimated data volume that will be redacted
• Helps understand storage and processing impact
• Important for performance planning

Performance Implications:

• Processing overhead of the transform chain
• Filter complexity impact
• Expected latency increase
• Throughput considerations

Security Considerations:

• What type of PII is being protected
• Compliance requirements (GDPR, HIPAA, PCI DSS)
• Risk level if not applied
• Security benefit assessment

Accepting Recommendations

Accepting a recommendation creates a DLP rule or adds transform chains to an existing rule. You can accept recommendations individually, in bulk, or selectively.

Accepting Individual Recommendations

To accept a single recommendation:

1. Open Recommendation: Click on the recommendation to view details
2. Review Details: Review pattern type, location, and impact
3. Click "Apply" or "Accept": Click the action button
4. Select Target Rule:
   • Choose existing DLP rule to add to, or
   • Create a new DLP rule
5. Configure Rule (if creating new):
   • Enter rule ID (must be unique)
   • Enter rule name
   • Optionally add description
6. Handle Protected Rules:
   • If target rule is protected, you'll be prompted
   • Can clone protected rule to create editable copy
   • Cannot modify protected rules directly
7. Confirm: Confirm the acceptance
8. Validation: System validates the recommendation and creates the rule

Confirmation and Validation:

• System checks for duplicate chain IDs
• Validates transform chain structure
• Verifies rule configuration
• Shows success or error messages

Accepting All Recommendations

To accept all recommendations at once:

1. Select "Accept All": Click the "Accept All" button in the recommendations interface
2. Select Target Rule: Choose existing rule or create new one
3. Review Conflicts: System checks for:
   • Duplicate chain IDs
   • Conflicting configurations
   • Rule compatibility
4. Handle Duplicates:
   • System warns about duplicate chain IDs
   • Can skip duplicates or rename chains
   • Option to merge similar chains
5. Confirm Bulk Acceptance: Review summary and confirm
6. Review Bulk Changes: After acceptance, review what was created

Bulk Acceptance Best Practices:

• Review recommendations first to avoid accepting false positives
• Consider creating a new rule for bulk acceptance
• Test the rule in staging before production
• Monitor performance after bulk acceptance

Selecting Specific Recommendations

For selective acceptance:

1. Multi-Select Interface:

   • Use checkboxes to select multiple recommendations
   • Select all on current page
   • Select by pattern type
   • Select by filter criteria

2. Selective Acceptance Strategy:

   • Group by pattern type (accept all emails together)
   • Group by location (accept all from same endpoint)
   • Accept incrementally (test in batches)

3. Recommendation Grouping:

   • Group by service/endpoint
   • Group by data type
   • Group by recommendation type
   • Custom grouping strategies

4. Batch Operations:

   • Accept selected recommendations
   • Ignore selected recommendations
   • Export selected recommendations
   • Preview selected recommendations

Ignoring Recommendations

Not all recommendations need to be accepted. Some may be false positives, low-value, or already handled by other rules.

When to Ignore Recommendations

False Positives:

• Data that matches pattern but isn't actually PII
• Test data that looks like PII but isn't sensitive
• Example: UUIDs that aren't user identifiers

Low-Value Recommendations:

• Recommendations affecting very few RRPairs
• Recommendations for non-sensitive data types

Already Handled:

• PII already protected by other DLP rules
• Data handled by application-level encryption
• Data in non-sensitive contexts

Performance Considerations:

• Recommendations that would significantly impact performance
• Overly broad filters that would process too much traffic
• Redundant recommendations that duplicate existing rules

Ignoring Individual Recommendations

To ignore a single recommendation:

1. Open Recommendation: Click on the recommendation
2. Click "Ignore": Click the ignore button
3. Confirmation Dialog:
   • System may ask for confirmation
   • Option to provide ignore reason
   • Option to ignore similar recommendations
4. Ignore Reasons (optional):
   • False positive
   • Already handled
   • Low value
   • Performance concern
   • Custom reason
5. Immediate vs. Confirmed Ignore:
   • Immediate: Recommendation is ignored immediately
   • Confirmed: Requires confirmation dialog
   • Can be configured in settings

Ignore Action Process:

• Recommendation is marked as ignored
• Removed from active recommendations list
• Metadata is preserved for future reference
• Can be restored later if needed

Managing Ignored Recommendations

Viewing Ignored Recommendations:

1. Navigate to Ignored Tab: Click on the "Ignored" tab to view ignored recommendations
2. Status Column: Status column shows "Ignored"
3. Ignore Reason: View reason if provided
4. Ignore Date: See when recommendation was ignored

Restoring Ignored Recommendations:

1. Navigate to Ignored Tab: Go to the "Ignored" tab
2. Find Recommendation: Locate the ignored recommendation
3. Click "Restore": Click restore button
4. Confirmation: Confirm restoration
5. Re-activation: Recommendation becomes active again

Bulk Restore Operations:

• Select multiple ignored recommendations
• Restore all selected
• Restore by pattern type
• Restore by ignore reason

Ignore History:

• View history of ignored recommendations
• See ignore reasons
• Track when recommendations were ignored/restored
• Audit trail for compliance

Restoring Ignored Recommendations

If you ignored a recommendation by mistake or circumstances changed:

Unignore Process:

1. Navigate to Ignored Tab: Go to the "Ignored" tab
2. Select Recommendation: Click on the ignored recommendation
3. Click "Restore" or "Unignore": Click the restore button
4. Confirmation: Confirm that you want to restore
5. Re-activation: Recommendation becomes active again

Re-evaluating Ignored Recommendations:

• Review ignored recommendations periodically
• Check if ignore reasons still apply
• Consider restoring if circumstances changed
• Use ignore history to track patterns

Re-applying Recommendations:

• Restored recommendations can be accepted normally
• Follow standard acceptance workflow
• May need to review if snapshot has changed
• System may re-analyze if snapshot was updated

Recommendation Preview and Validation

Before accepting recommendations, you can preview their impact and validate the transform chains.

Previewing Recommendation Impact:

1. Preview Button: Click preview on a recommendation
2. Impact Summary: See estimated impact:
   • Number of RRPairs affected
   • Data volume impact
   • Performance estimate
3. Sample Transformations: See before/after examples
4. Affected Locations: List of JSONPath locations
5. Pattern Matches: Examples of matched patterns

Validating Transform Chains:

1. Chain Validation: System validates transform chain structure
2. Syntax Checking: Validates filter expressions, JSONPath, etc.
3. Compatibility Check: Ensures compatibility with target rule
4. Error Detection: Identifies potential issues before acceptance

Testing Recommendations:

1. Test Mode: Some recommendations can be tested before acceptance
2. Dry Run: Preview transformations without applying
3. Sample Data: Test on sample RRPairs
4. Validation Results: See validation results and warnings

Rollback Considerations:

• Understand how to remove recommendations if needed
• Know how to modify rules after acceptance
• Have a plan for reverting changes
• Consider testing in staging first

Next Steps

After understanding recommendations:

• Creating DLP Rules - Create DLP rules from recommendations
• Managing Recommendations - Learn how to accept, ignore, and manage recommendations

Related Documentation

• Transform Chains - Deep dive into transform chains
• Creating Snapshots - Snapshot creation guide
• Capturing Traffic - Traffic capture concepts