Forum Discussion
Incorrect alert information for DLP incidents being displayed
We have an *AND* statement within our DLP rules across the organization policy set where only one of the two conditions within the "AND" is firing and we're getting alerts that are not showing all the correct SID information or any correct part making these alerts unusable for DLP analysts to review. We worked with Microsoft team to confirm that the rules are in fact firing correctly but the data being seen in security console is not complete. Microsoft has the details received from Product Group team issue has been confirmed to be a Bug with reference #4810070. Anyone seeing this issue?
8 Replies
Paul_Doucettedid you get any update on this issue? According to Microsoft support they have fixed the issue in all tenants as of October, but I haven't been able to confirm the fix though.
To reproduce it, I set up two simplified rules designed to trigger when an email includes both Source code (trainable classifier) and Credit Card Numbers (SIT).
When sending an email containing these elements, both rules are indeed triggered. However, despite being a necessary condition for firing, Rule TEST_R10a, which uses an AND condition between condition groups, fails to return the trainable classifier in the Activity Eplorer (and API), confirming your point of incomplete data in the explorer.
So, we are still working with support to get it resolved.
Paul_Doucette I have reported a similar issue here that seems to be related DLP rule match in activity explorer lacks info on detected trainable classifier - Microsoft Community Hub
HaraldRau Thanks Harald, this is exactly what we are experiencing but with and/or statements. Yours is only with a single classifier?? thats crazy. Hopefully this can be resolved sooner than later.
When did you start seeing this? we have been seeing this issue since June
Paul_Doucette The issue started on May 14th. Microsoft had reported an issue in the health portal with ID MP793009:
Affected services: Purview - Description: The impacted activities are Microsoft Entra group administration activities and user administration activities including, but not limited to, the following, Audit log searches, Data gathered from the Audit Management API, Audit based alerts, ...
It was reported to be fixed on May 16th:We've fully reverted the offending service update and we're moving to begin replaying the affected data to remediate the residual impact.
However, the information which SIT/TC actually triggered an DLP rule match event has been either missing or incomplete ever since.
Paul_Doucette Would be interested how many customers have this issue and don't know about it. More importantly relying on the information displayed.
- It is also important to note that the condition before the "OR" statement is using a high threshold count so that it only triggers above 100 detections. The statement after the "OR" operator is lower threshold, but it requires a dictionary SID match
Microsoft also states that their DLP engines are working correctly however the issue displaying the data correctly as in events/incidents Paul_Doucette
