Home

Cross-Post From Security/Compliance - "Customizing DLP" Feature (MC111748)

John Benak
Occasional Contributor

Cross-posting from the Security/Compliance Community as I'm hoping to get some answers ASAP:  

I'm trying to roll out Office Message Encryption (OME) in EOL (E5 org).  Having a major problem in my testing with the ICD 9/10 Sensitive Info types catching WAY too much (i.e. the word 'system'), not to mention the inability to combine and use logical (AND/OR) operators to be able to focus my Transport Rules.  I also need to be able to easily tune the lexicon and/or Sensitive Info types in response to false positives, org needs, etc.

 

I ran across a 'New Feature' announcement on the O365 Admin portal just now, which seems to indicate that some of the exact needs I'm working on with Premier Support are now (as of Jul 31) available.

 

New features: Office 365 Data Loss Prevention MC111748 July 31

 

Included features of note:

  • Grouping sensitive types & configurable logical operators (AND/OR)
  • Changes to the UX and cmdlet although old cmdlet will still work. This allows you to express much richer, more specific sets of matching requirements within your policies.
  • Unique matches for entities and keywords – Policy results will now only consider unique matches; duplicated data will not be double-counted (e.g., the same SSN found on each page of your taxes will only count as one unique SSN), reducing unexpected policy matches.
  • Enhanced HIPAA protection in DLP and retention - More advanced and accurate detection of HIPAA content built-in to Office 365 DLP and Preservation policies. You can now accurately detect and protect your organization’s HIPAA-related content, and you can customize the matching behavior to meet your organization’s specific requirements.

 

There's also the 'Create A Keyword Dictionary" document that may be helpful, but I'm having problems with some of the commands:

https://support.office.com/en-us/article/Create-a-keyword-dictionary-c8a95d1b-c3b6-4613-98ab-0331d18...

 

Ideally, I'd like to export the ICD 9/10 dictionaries, make some edits, and then import them as NEW custom keyword dictionaries for use in a custom info type and (ideally) DLP policy.  I also need to be able to create and have an ongoing management process for my dictionaries, which the above KB indicates is possible.

 

Is this actually available across all tenants? If not, is there a way to check and get it pushed to ours ASAP?

 

Finally, is this only doable in the Sec/Compliance center? Is there any way to link things up with the Transport Rules I need to create to protect PII in Exchange Online?  It appears that the EOL and SCC DLP environments can't even see each other and thus things set up in one can't be used in the other.  I know there is a plan to move everything into SCC, but right now I need this in EOL for usage in OME.

 

Alternatively, can I create these same dictionaries, custom info types, and policies in Exchange with EOL Powershell? 

 

Thanks!