DLP Alert Received, but no report.

%3CLINGO-SUB%20id%3D%22lingo-sub-1988518%22%20slang%3D%22en-US%22%3EDLP%20Alert%20Received%2C%20but%20no%20report.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1988518%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20received%20the%20following%20alert%2C%20but%20I%20am%20unable%20to%20locate%20the%20report%20in%20Compliance%20Centre.%26nbsp%3B%20Can%20anyone%20give%20me%20guidance%20on%20where%20to%20look%20specifically%3F%26nbsp%3B%20I%20only%20have%20default%20policies%20applied%2C%20but%20would%20like%20to%20look%20into%20this%20alert%20in%20more%20detail%20to%20understand%20what%20is%20happening%20and%20check%20it's%20legitimate.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%2C%20Pete%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EA%20match%20of%20one%20or%20more%20of%20your%20organization%E2%80%99s%20policy%20rules%20has%20been%20detected.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3EReport%20Id%3A%20xxxxxxx-0906-4c2e-887b-85cd0e68e117%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EPerson%20who%20last%20modified%20document%3A%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3ESeverity%3A%20High%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EFalse%20positive%3A%20No%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3EOverride%3A%20No%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3ECondition%20matched%3A%20External%20recipients%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%3ECondition%20matched%3A%20Contains%20sensitive%20information%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1988518%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EReporting%20Portal%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2357310%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20Alert%20Received%2C%20but%20no%20report.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2357310%22%20slang%3D%22en-US%22%3EI%20had%20to%20run%20message%20between%20that%20period%20and%20found%20postmaster%40domain.com%20sending%20alert%20to%20user%20who%20send%20the%20emails%20.%20Its%20the%20same%20postmaster%20email%20which%20send%20report.%20Its%20lame%20way%20to%20find.%3CBR%20%2F%3E%3CBR%20%2F%3EOther%20methods%20are%20audit%20logs%20search%20and%20ediscovery%20-%20didnt%20try%20though.%3C%2FLINGO-BODY%3E
Occasional Visitor

Hi,

 

I have received the following alert, but I am unable to locate the report in Compliance Centre.  Can anyone give me guidance on where to look specifically?  I only have default policies applied, but would like to look into this alert in more detail to understand what is happening and check it's legitimate.

 

Many thanks, Pete

 

A match of one or more of your organization’s policy rules has been detected.

Report Id: xxxxxxx-0906-4c2e-887b-85cd0e68e117
Person who last modified document:
Severity: High
False positive: No
Override: No

Condition matched: External recipients
Condition matched: Contains sensitive information

1 Reply

I had to run message message trace between that period and found postmaster@domain.com sending alert to user who send the emails . Its the same postmaster email which send report. Its lame way to find.

Other methods are audit logs search and ediscovery - didnt try though.