Forum Discussion
kengab
Jul 20, 2021Copper Contributor
O365 DLP Policy Setup
I setup a custom DLP policy for US PII data that generates incident reports if a sensitive information was present in the email. Is there a configuration where if an email is encrypted as an exception to the rule, it will not trigger the report.
The idea is if an email message is encrypted, it will not generate an incident report.
Current setup:
Rule consists of
if message contains sensitive information and shared outside organization
except if message type is encrypted
stop processing additional dlp policies and rules if there's a match for this rule.
But it appears the exception is not working.
Note: Testing the "Encrypt only" feature.
Thanks,
Kennie
- jrodriguezAPCopper ContributorI'm in the exact same spot and confirm the rule exception is not working in my environment, either. Setting the "message type is" to another option (tested with meeting invites) does work, so the rule logic itself operates, it just doesn't detect encrypted messages as one would expect.
- dgs6466Copper ContributorUpvote, sames
- jrodriguezAPCopper Contributor
- dgs6466Copper ContributorI tried that. Didn’t work. What did work is creating a blank rule at position zero which identifies encrypted messages and does nothing to them. The “except” for encrypted or protected messages doesn’t work.
- jrodriguezAPCopper ContributorAh, gotcha. can't say i tested the except within a rule. I designed my policies similar to how you're describing: i have a first-order policy with however many rules in there as positive finds, bypassing any other DLP if triggered, then actual DLP handling in a separate policy afterwards.
Out of curiosity, are you using DLP controls via Labels or Outlook Message Encryption (say a Transport rule, for example)? I'm stuck with the latter until I can migrate us to Labels, and i suspect that's part of the issue with detecting protected messages.