Blog Post

Security, Compliance, and Identity Blog
3 MIN READ

Creating Endpoint DLP Rules using PowerShell - Part 2

pri2agarwalz's avatar
pri2agarwalz
Icon for Microsoft rankMicrosoft
Nov 07, 2024

This blog is Part 2 of our series on managing Endpoint DLP Rules using PowerShell.

This blog is Part 2 of our multi-part series on managing Endpoint DLP Rules using PowerShell.

In Part 1, we demonstrated how we can use PowerShell to create Endpoint DLP Rules with AdvancedRule, AlertProperties and EndpointDLPRestrctions Parameter. In this blog, we will cover the same for EndpointDLPBrowserRestrictions.

Step 1:

Create a text file with condition to restrict browser access.

Here is a sample for reference:

{

                                                 "Version": "1.0",

                                                 "Condition": {

                                                   "Operator": "And",

                                                   "SubConditions": [

                                                     {

                                                       "ConditionName": "RestrictBrowserAccess",

                                                       "Value": true

                                                     }

                                                   ]

                                                 }

}

We have saved the file as advancedrule.txt in our example. 

Step 2:

Create a text file with endpoint Dlp Browser restrictions.

Here is an example for a restriction:

[

                                           {

                                               "setting":  "WebPagePrint",

                                               "defaultmessage":  "none",

                                               "sitegroup":  "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

                                               "value":  "Block"

                                           },

                                           {

                                               "setting":  "WebPageCopyPaste",

                                               "defaultmessage":  "none",

                                               "sitegroup":  "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

                                               "value":  "Warn"

                                           },

                                           {

                                               "setting":  "WebPageSaveToLocal",

                                               "defaultmessage":  "none",

                                               "sitegroup":  "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

                                               "value":  "Audit"

                                           },

                                           {

                                               "setting":  "WebPagePrint",

                                               "defaultmessage":  "none",

                                               "sitegroup":  "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

                                               "value":  "Block"

                                           },

                                           {

                                               "setting":  "WebPageCopyPaste",

                                               "defaultmessage":  "none",

                                               "sitegroup":  "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

                                               "value":  "Warn"

                                           },

                                           {

                                               "setting":  "WebPageSaveToLocal",

                                               "defaultmessage":  "none",

                                               "sitegroup":  "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",

                                               "value":  "Audit"

                                           }

]

We are setting the below Sensitive Site Restrictions in the above example. The Action and group can be modified as per the requirements, we can also choose to add more groups and remove one out of the two.  We have saved the file as EndpointDlpbrowserRestrictions.txt in our example. 

Note: Please ensure to replace the SiteGroupID before saving the file.

 

Activity

CustomSensitiveGroup1 Action

CustomSensitiveGroup2 Action

Print the site

Block

Block

Copy the date from the site

Warn

Warn

Save the site as local files (Save-As)

Audit

Audit

Step 3:

Define the Parameters:

# Define the parameters to read condition from the file we created in Step 1

$data = Get-Content -Path "C:\temp\advancedrule.txt" -ReadCount 0

$AdvancedRuleString = $data | Out-string

 

# Define the parameters for the DLP rule

$ruleName = "Endpoint Rule – Sensitive Site Restrictions"

$PolicyName = "Endpoint Policy - Sensitive Site Restrictions"

$alertProperties = @{AggregationType = "SimpleAggregation" ; VolumeThreshold = "5" ; AlertBy = "Tenant"; Threshold = "15"; TimeWindow = "60"}

$Notifyendpointuser = @{NotificationContent = "default:The sharing is blocked, please contact the helpdesk for more details" ; NotificationTitle = "default:Restricted"}

 

The values in bold for notification content can be changed as per the notification you would like to configure. Similarly, the values in Alert properties can also be changed to meet different requirements.

Step 4:

Create the DLP rule:

New-DlpComplianceRule -Name $ruleName -Policy $PolicyName  -GenerateAlert admin@xxxx.onmicrosoft.com -ReportSeverityLevel "Medium"  -Notifyendpointuser $Notifyendpointuser -AlertProperties $alertProperties -AdvancedRule $AdvancedRuleString -EndpointDlpbrowserRestrictions  (Get-Content -Raw ("C:\temp\EndpointDlpbrowserRestrictions.txt") | ConvertFrom-Json -AsHashtable)

 

Note:  PowerShell 7 is a must for this to work.

Updated Nov 06, 2024
Version 1.0
No CommentsBe the first to comment