Forum Discussion

mikerowlandlondon's avatar
mikerowlandlondon
Brass Contributor
Jun 11, 2018
Solved

Overrides and false positives in DLP policy end user experience

Ok so a user gets a policy applied to his/her document for let's say PCI compliance. On the policy tip we give the user the option to override with a business justification or to report as a false p...
data loss prevention
security
  • Simon Backwell's avatar
    Simon Backwell
    Jun 19, 2018
    No I'm not able to; I don't think you can.

    If someone does put down it's a false positive and it's not, I usually go and speak to the individual or email them. There's no way that I know of to reclassify it.

    I also have alerts turned on to me when people do it so when I get the email, it shows the override reason and false positive answers. If anyone puts anything that we don't agree with as being an acceptable answer, then we raise this with them/their line manager.
Karen Zbierski's avatar
Karen Zbierski
Copper Contributor
Dec 11, 2018

That's the email for the policy match - right, I do that already, but that doesn't send a notification for the override and the justification the user put in. I thought you were alerted via email that a person used the override button and entered a justification. So far, I've only seen that appear in the override report which I can schedule to send me weekly. So besides that - there is nothing that tells you a user used the override right?

Simon Backwell's avatar
Simon Backwell
Copper Contributor
Dec 12, 2018

Sorry Karen for any confusion, I wasn't very clear.

 

I've setup the DLP policy to alert me whenever someone does something that is against the policy. When they click the override, it will appear in that email, not in a separate email.

 

I've shared a redacted email of what that looks like but there is no separate email I'm afraid; just the main DLP policy incident report which can tell you what the employee did. Other than this and the report, I don't know of anything else to inform admins someone has clicked "override".

 

 

 

  • Simon Backwell's avatar
    Simon Backwell
    Copper Contributor
    Dec 13, 2018

    I've had incident reports for OneDrive and SharePoint to flag files being uploaded (in the end they've been dummy data) but looking back at them, they don't show any override/justification - just the details of the file and who did it.

  • Karen Zbierski's avatar
    Karen Zbierski
    Copper Contributor
    Dec 12, 2018

    Ok, so I see now that you see the override justification in an incident report when it's applied to Exchange, but I've got a DLP policy (with incident reports enabled) applied just to my OneDrive and am using the override from the OneDrive client - and I am actually not getting any incident reports when it's in OneDrive. I have CAS and setup a CAS alert policy - so I see it's triggering those, so I know it's happening - but now that I'm specifically looking for incident reports - I don't get them from OneDrive.

     

    Do you get incident report emails like you showed that you got from an Exchange hit, but from a OneDrive match?