Forum Discussion
New "Customizing DLP" Feature (MC111748) - Where is it?
After more digging and testing different scenarios I don't believe that the SCC is quite ready for this and the integration with the EOL DLP is not yet complete. I'm hoping it will be soon, though.
However, for now the solution that I've come up with is to leverage the 'Exceptions' predicates of the Exchange Transport Rules to manage my exclusions, and it seems to be working. I've added an exception for both the body/subject and any attachments and my false positive noise has been reduced. This feature doesn't seem to be available in SCC. I've added the relevant rules to an EOL DLP Policy.
I have a CSV/TXT file (no header) where I maintain the exceptions list and simply add it to a variable and then run the PS to modify the rule as I need to. It works for both add/removals.
We'll have a process/policy to get approvals added to the exclusion list.
$keywords=get-content .\DLPExclusions.csv
set-TransportRule "HIPAA PHI Encryption Trigger" -ExceptifSubjectOrBodyContainsWords $keywords -ExceptIfAttachmentContainsWords $keywords
Thanks
Hi All,
Though this may be a delayed response, however got bumped into this post as was trying out similar feature testing.
1. As per my understanding and the testing done so far, SCC can be used at a tenant level, which has only two options "Inside the Organization" or "Outside the Organization", which is a real pain to do any customization.
2. EAC - DLP provides still a wide range of options.
I've managed to create a dictionary for keywords as per the below article.
https://support.office.com/en-us/article/Create-a-keyword-dictionary-c8a95d1b-c3b6-4613-98ab-0331d1872cf3
Have also got this imported as a new custom sensitive information type. I've created a new policy in the SCC and added this sensitive type, however it does not detect anything. Then I've disabled the policy and setup a policy in the EAC-DLP here aswell it does not detect any of the keywords that are part of the keywords dictionary. Following is my xml for the dictionary, which was imported. I've tried to have the part of the IdMatchRef to include in the SCC DLP policy, however there was no luck. Also I've noticed that in the SCC policy it only has an AND condition with OR there is no OR alone. Where AND is the mandatory one.
<?xml version="1.0" encoding="UTF-16"?>
<RulePackage xmlns="http://schemas.microsoft.com/office/2011/mce">
<RulePack id="2b9c18af-de85-4a91-bb03-098c8abfe39a">
<Version build="1" major="0" minor="0" revision="1"/>
<Publisher id="bb7706f6-6f86-4159-a172-bb46a3320694"/>
<Details defaultLangCode="en-us">
<LocalizedDetails langcode="en-us">
<PublisherName>Prabhakar</PublisherName>
<Name>Custom Dictionary</Name>
<Description>This rule package contains the custom dictionary words
</Description>
</LocalizedDetails>
</Details>
</RulePack>
<Rules>
<!-- Sensitive information dictionary -->
<Entity id="d333c6c2-5f4c-4131-9433-db3ef72a89e8" patternsProximity="300"
recommendedConfidence="85">
<Pattern confidenceLevel="85">
<IdMatch idRef="f10cd68c-f699-4199-867e-d35be5edbf56" />
</Pattern>
</Entity>
<LocalizedStrings>
<Resource idRef="d333c6c2-5f4c-4131-9433-db3ef72a89e8">
<Name default="true" langcode="en-us">Keywords Dictionary</Name>
<Description default="true" langcode="en-us">Detects test keywords</Description>
</Resource>
</LocalizedStrings>
</Rules>
</RulePackage>