Forum Discussion
mikerowlandlondon
Jun 11, 2018Brass Contributor
Overrides and false positives in DLP policy end user experience
Ok so a user gets a policy applied to his/her document for let's say PCI compliance.
On the policy tip we give the user the option to override with a business justification or to report as a false positive.
If they click the "report" button in the policy tip where does that go? where do I as an admin go to review those and presumably take some kind of action on that report? allow and reclassify or keep the classification and inform the user.
I'd expect to see something in the S&C reports but I can't see a thing. I can view my overrides report and view where a user has overridden a classification but nothing anywhere else that lets me interact with any reported "cases"
- No I'm not able to; I don't think you can.
If someone does put down it's a false positive and it's not, I usually go and speak to the individual or email them. There's no way that I know of to reclassify it.
I also have alerts turned on to me when people do it so when I get the email, it shows the override reason and false positive answers. If anyone puts anything that we don't agree with as being an acceptable answer, then we raise this with them/their line manager.
Should be in the DLP reports as detailed here: https://support.office.com/en-us/article/view-the-reports-for-data-loss-prevention-41eb4324-c513-4fa5-91c8-8fbd8aaba83b
Are you saying you don't see the events, or the DLP reports altogether?
- mikerowlandlondonBrass Contributor
Found it ( I think) - im missing DLP Insights. I have the DLP report but I'm not seeing the warning triangles / insight icon.
The insights are fairly new addition, I don't have them in my tenant either.