Forum Discussion

Cypress808's avatar
Cypress808
Copper Contributor
Jul 19, 2023

How to exclude emails CC'd to our company from DLP alerting?

We are successfully using email DLP within Purview but are trying to reduce false positives. One way we could do this is by having an exception in the policy logic that would block the alerting if any of the recipients of the email are within our own domain (ie., if one or more company employees are in the To, CC, or BCC fields). I have already tried using the NOT logic and specified our domain, but this only applies if sent just to that one email address. How can I eliminate alerting on email that also contains our own company employees, such as an email sent to John AT outsidecompany.com AND Mike AT mycompany.com?

 

Thanks

  • Cypress808 

     

    Thank you for posting your question here. Are you looking for any specific content in the messages or simply if it’s sent to an external address?

     

    You cannot build the logic of “if external, but not if external AND internal” unfortunately. 

    • Cypress808's avatar
      Cypress808
      Copper Contributor

      miller34mike 
      Thanks for the reply. That's unfortunate. We could certainly filter out a lot of false positives if we had this ability. We are looking for sensitive content, both built in dictionaries and our own. It seems like we have some work to do to cut down the noise then. 

      • Mbulelo's avatar
        Mbulelo
        Copper Contributor
        Hi Cypress808 - this one was definitely a head scratcher, and an interesting question. The DLP Policies at their core will help with finding content that is defined, and actions that will protect that content.

        The exclusion of mails should be used for the most part to provide more business use case allowances, for example, if the recipients who are internal or known to recieve said email with defined content.

        Reduction of False Positives can be done in a multitude of ways, one of them being EDM for example, but to look at the domain from a recipient level, we need to make sure that we understand that the DLP violations have 2 main ways to view alerts; one is if the data is being shared internally "Shared from Microsoft 365 within my organisation" and Externally "Shared fdrom microsoftr 365 outside". Stating that, in your policy, would be a good start.

Resources