This blog is Part 1 of our multi-part series on managing Endpoint DLP Rules using PowerShell.
This blog is Part 1 of our multi-part series on managing Endpoint DLP Rules using PowerShell.
In Part 1, we will demonstrate how we can use PowerShell to create Endpoint DLP Rules with AdvancedRule, AlertProperties and EndpointDLPRestrctions Parameter. In Part 2, we will cover the same for EndpointDLPBrowserRestrictions.
Step 1:
Create the text file with complex condition as per the requirements and save it.
Here is a sample for reference:
{
"Version": "1.0",
"Condition": {
"Operator": "And",
"SubConditions": [
{
"ConditionName":
"ContentContainsSensitiveInformation",
"Value": [
{
"Groups": [
{
"Name": "Default",
"Operator": "Or",
"Sensitivetypes": [
{
"Name": "Credit Card Number",
"Mincount": 1,
"Maxcount": 5,
"Confidencelevel": "Low",
},
{
"Name": "U.S. Bank Account Number",
"Mincount": 5,
"Confidencelevel": "Medium",
}
]
}
],
"Operator": "And"
}
]
}
]
}
}
In the above example, we are using the condition Content Contains Sensitive Information with SIT’s Credit Card or Bank Account Number. You can choose to add/remove additional SIT’s/conditions as needed along with the desired operator. You can also change the Confidence level to Low/Medium/High as per the requirements and update the Min/Max count.
We have saved it as advancedrule.txt in our example.
Note: If you do not specify the Min/Max attribute, the value is taken as any by default. In our example we have not specified the Max attribute for the Bank Account Number, hence it would take the default value i.e. Any.
Here is another example:
{
"Version": "1.0",
"Condition": {
"Operator": "And",
"SubConditions": [
{
"ConditionName": "ContentContainsSensitiveInformation",
"Value": [
{
"Groups": [
{
"Name": "Default",
"Operator": "Or",
"Labels": [
{
"Name": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"Id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"Type": "Sensitivity"
}
]
}
],
"Operator": "And"
}
]
},
{
"ConditionName": "ContentFileTypeMatches",
"Value": [
"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
]
}
]
}
}
In this example we are using the condition Content Contains Sensitive Level with a specific label and Content matches a specific file type. Please ensure to replace the ID’s with the appropriate values before saving the file.
Step 2:
Define the parameters for endpointDlpRestrictions or create a text file for complex restrictions.
Here is an example for a simple restriction:
$endpointDlpRestrictions = @(@{"Setting"="Print"; "Value"="Block"},@{"Setting"="RemovableMedia"; "Value"="Warn"})
In this case we are setting the Print action to Block and Copy to removable USB Device to Warn. We can configure the value to Block/Warn/Audit as per our requirements.
Here is an example to create a text file with complex condition:
[
{
"defaultmessage": "none",
"setting": "Print",
"value": "Block",
"appgroup": "none",
"networkLocation": [
{
"priority": "1",
"type": "vpn",
"action": "Audit"
}
],
"printerGroup": [
{
"priority": "1",
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"action": "Audit"
}
]
},
{
"setting": "RequireBusinessJustification",
"value": "Required"
},
{
"setting": "RemovableMedia",
"defaultmessage": "none",
"value": "Warn",
"appgroup": "none"
},
{
"setting": "CloudEgress",
"defaultmessage": "none",
"cloudEgressGroup": [
{
"priority": "1",
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"action": "Audit"
}
],
"value": "Warn",
"appgroup": "none"
},
{
"setting": "PasteToBrowser",
"defaultmessage": "none",
"pasteSensitiveDomainsGroup": [
{
"priority": "1",
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"action": "Audit"
}
],
"value": "Block",
"appgroup": "none"
},
{
"setting": "CopyPaste",
"defaultmessage": "none",
"value": "Warn",
"appgroup": "none",
"networkLocation": [
{
"priority": "1",
"type": "corporateNetwork",
"action": "Audit"
}
]
},
]
We are setting the below restrictions in the above example. The Action and restrictions can be modified as per the requirements. We have saved it as endpointdlprestrictions.txt in our example.
|
Activity |
Action |
Network Restrictions |
Group Restrictions |
|
|
Block |
VPN is set to Audit |
A custom Printer Group with Action as Audit The group ID can be retrieved from the Endpoint DLP Settings using PowerShell. Make sure to update the ID before saving the file. |
|
Copy to Removable USB Device |
Warn |
|
|
|
Upload to restricted cloud service domain |
Warn |
|
A custom Sensitive service domain Group with Action as Audit The group ID can be retrieved from the Endpoint DLP Settings using PowerShell. |
|
Paste to browser |
Block |
|
A custom Sensitive service domain Group with Action as Audit The group ID can be retrieved from the Endpoint DLP Settings using PowerShell. |
|
Copy to clipboard |
Warn |
CorporateNetwork is set to Audit |
|
Step 3:
Define the Parameters:
# Define the parameters to read complex condition from the file we created in Step 1
$data = Get-Content -Path "C:\temp\advancedrule.txt" -ReadCount 0
$AdvancedRuleString = $data | Out-string
# Define the parameters for the DLP rule with Simple restriction
$ruleName = "Endpoint Rule - Restrict Financial Information Sharing Rule"
$PolicyName = "Endpoint Policy - Restrict Financial Information Sharing"
$endpointDlpRestrictions = @(@{"Setting"="Print"; "Value"="Block"},@{"Setting"="RemovableMedia"; "Value"="Block"})
$Notifyendpointuser = @{NotificationContent = "default:The sharing is blocked, please contact the helpdesk for more details" ; NotificationTitle = "default:Restricted"}
$alertProperties = @{AggregationType = "SimpleAggregation" ; VolumeThreshold = "5" ; AlertBy = "Tenant"; Threshold = "15"; TimeWindow = "60"}
Note: The values in bold for notification content can be changed as per the notification you would like to configure. Similarly, the values in Alert properties can also be changed to meet different requirements.
Step 4
Create the DLP rule:
#Create the DLP rule
New-DlpComplianceRule -Name $ruleName -Policy $PolicyName -GenerateAlert admin@xxxx.onmicrosoft.com -ReportSeverityLevel "Medium" -Notifyendpointuser $Notifyendpointuser -EndpointDlpRestrictions $endpointDlpRestrictions -AlertProperties $alertProperties -AdvancedRule $AdvancedRuleString
You can use the below if you want to create a DLP rule with complex EDLP Restriction:
# Define the parameters to read complex condition from a file we created in Step 1
$data = Get-Content -Path "C:\temp\advancedrule.txt" -ReadCount 0
$AdvancedRuleString = $data | Out-string
# Define the parameters for the DLP rule with Simple restriction
$ruleName = "Endpoint Rule - Restrict Financial Information Sharing Rule"
$PolicyName = "Endpoint Policy - Restrict Financial Information Sharing"
$Notifyendpointuser = @{NotificationContent = "default:The sharing is blocked, please contact the helpdesk for more details" ; NotificationTitle = "default:Restricted"}
$alertProperties = @{AggregationType = "SimpleAggregation" ; VolumeThreshold = "5" ; AlertBy = "Tenant"; Threshold = "15"; TimeWindow = "60"}
# Create the DLP rule using the EndpointDlpRestrictions file we created in Step 2.
New-DlpComplianceRule -Name $ruleName -Policy $PolicyName -GenerateAlert admin@xxxx.onmicrosoft.com -ReportSeverityLevel "Medium" -AlertProperties $alertProperties -Notifyendpointuser $Notifyendpointuser -AdvancedRule $AdvancedRuleString -EndpointDlpRestrictions (Get-Content -Raw ("C:\temp\endpointdlprestrictions.txt") | ConvertFrom-Json -AsHashtable)
Note: PowerShell 7 is a must for this to work.
Microsoft
