Forum Discussion
Cypress808
Jul 19, 2023Copper Contributor
How to exclude emails CC'd to our company from DLP alerting?
We are successfully using email DLP within Purview but are trying to reduce false positives. One way we could do this is by having an exception in the policy logic that would block the alerting if an...
miller34mike
Jul 24, 2023Microsoft
Thank you for posting your question here. Are you looking for any specific content in the messages or simply if it’s sent to an external address?
You cannot build the logic of “if external, but not if external AND internal” unfortunately.
- Cypress808Jul 24, 2023Copper Contributor
miller34mike
Thanks for the reply. That's unfortunate. We could certainly filter out a lot of false positives if we had this ability. We are looking for sensitive content, both built in dictionaries and our own. It seems like we have some work to do to cut down the noise then.- MbuleloJul 26, 2023Copper ContributorHi Cypress808 - this one was definitely a head scratcher, and an interesting question. The DLP Policies at their core will help with finding content that is defined, and actions that will protect that content.
The exclusion of mails should be used for the most part to provide more business use case allowances, for example, if the recipients who are internal or known to recieve said email with defined content.
Reduction of False Positives can be done in a multitude of ways, one of them being EDM for example, but to look at the domain from a recipient level, we need to make sure that we understand that the DLP violations have 2 main ways to view alerts; one is if the data is being shared internally "Shared from Microsoft 365 within my organisation" and Externally "Shared fdrom microsoftr 365 outside". Stating that, in your policy, would be a good start.