Forum Discussion
Overrides and false positives in DLP policy end user experience
- No I'm not able to; I don't think you can.
If someone does put down it's a false positive and it's not, I usually go and speak to the individual or email them. There's no way that I know of to reclassify it.
I also have alerts turned on to me when people do it so when I get the email, it shows the override reason and false positive answers. If anyone puts anything that we don't agree with as being an acceptable answer, then we raise this with them/their line manager.
Thanks Simon!
I get that report but I can't interact with it? Are you able to?
As my point above I can see someone has reported something as a false positive but there seems to no way for an admin to say "ah ok, that's fine, I'll reclassify it and away you go"
Thanks for your help!
If someone does put down it's a false positive and it's not, I usually go and speak to the individual or email them. There's no way that I know of to reclassify it.
I also have alerts turned on to me when people do it so when I get the email, it shows the override reason and false positive answers. If anyone puts anything that we don't agree with as being an acceptable answer, then we raise this with them/their line manager.
I've had incident reports for OneDrive and SharePoint to flag files being uploaded (in the end they've been dummy data) but looking back at them, they don't show any override/justification - just the details of the file and who did it.
Ok, so I see now that you see the override justification in an incident report when it's applied to Exchange, but I've got a DLP policy (with incident reports enabled) applied just to my OneDrive and am using the override from the OneDrive client - and I am actually not getting any incident reports when it's in OneDrive. I have CAS and setup a CAS alert policy - so I see it's triggering those, so I know it's happening - but now that I'm specifically looking for incident reports - I don't get them from OneDrive.
Do you get incident report emails like you showed that you got from an Exchange hit, but from a OneDrive match?
Sorry Karen for any confusion, I wasn't very clear.
I've setup the DLP policy to alert me whenever someone does something that is against the policy. When they click the override, it will appear in that email, not in a separate email.
I've shared a redacted email of what that looks like but there is no separate email I'm afraid; just the main DLP policy incident report which can tell you what the employee did. Other than this and the report, I don't know of anything else to inform admins someone has clicked "override".
That's the email for the policy match - right, I do that already, but that doesn't send a notification for the override and the justification the user put in. I thought you were alerted via email that a person used the override button and entered a justification. So far, I've only seen that appear in the override report which I can schedule to send me weekly. So besides that - there is nothing that tells you a user used the override right?
Hi Karen
In the Policy, under Editing Policy Settings, you can create advanced settings for your policy. One of the options is the following:
You can then specify the email address you want reports to and what should be contained in those reports.
Hope this helps
Simon
Simon - you said "I also have alerts turned on to me when people do it so when I get the email, it shows the override reason and false positive answers. If anyone puts anything that we don't agree with as being an acceptable answer, then we raise this with them/their line manager. "
How did you configure DLP to get an email when someone overrides? I only see sending a weekly report to an email from the override chart - is that what you are talking about?
- Sorry it wasn't the answer you were looking for. I agree, it's not the best system and would be great to reclassify the false positives. I have it set-up for NI numbers so would be great to reclassify dummy NI numbers so they get excluded, as that's where most of my false positives come from.
Glad I could help (a bit). I think that's the conclusion I'm coming to.
There is no way to actually do what I'm expecting - which I think would make total sense to be able to interact and deal with these incidents rather than having to go find a user and have a chat with them.
I have it set up to alert me and it sounds like that's the best I can hope for.
That's all I needed - no one was able to tell me if I was missing anything or not but you've got the same experience so sounds like it is what it is.
Thanks so much for your help!
