I can define a role in DLP to allow incidents from specific users or business units to be handled by differenct people, but there can only be one Response Rule per policy so I am limited in how to respond to incidents for those groups. The only options listed under a the Response Rule's Conditions are:
Endpoint Location
Endpoint Device
Incident Type
Incident Match Count
Protocol or Endpoint Monitoring
Severity
I would like to add options for "Business Unit", "User Groups", and "Sender/Recipient Patterns" and allow multiple response rules based on those options. This would allow me to send an email notification to a specific admin when they need to review an incident, without sending the email to all DLP admins.