Exchange Unified DLP Moderation Logging and Reporting

%3CLINGO-SUB%20id%3D%22lingo-sub-2416894%22%20slang%3D%22en-US%22%3EExchange%20Unified%20DLP%20Moderation%20Logging%20and%20Reporting%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2416894%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20using%20Exchange%20Online%20Unified%20DLP%20Moderation%20features%20and%20have%20not%20been%20able%20to%20find%20any%20reporting%20capabilities%20for%20this%20feature.%20Also%2C%20the%20approval%20%2F%20deny%20actions%20don't%20seem%20to%20show%20up%20in%20message%20traces%20--%20at%20least%20as%20far%20as%20I%20can%20tell.%20(If%20this%20is%20documented%20somewhere%20please%20point%20this%20out%20to%20me.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'd%20like%20to%20be%20able%20to%20report%20on%20the%20total%20number%20of%20messages%20that%20entered%20the%20moderation%20workflow%2C%20how%20many%20were%20approved%2C%20denied%2C%20and%20timed%20out%20(the%20approver%20took%20no%20action).%20I'd%20also%20like%20the%20ability%20to%20capture%20a%20reason%20for%20the%20approval%20or%20denial%20action.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%3F%20Is%20any%20of%20this%20partially%20possible%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBrian%20Clark%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2416894%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Hello, 

We are using Exchange Online Unified DLP Moderation features (the DLP Action "Forward the message for approval to specific approvers") and have not been able to find any reporting capabilities for this feature. Also, the approval / deny actions don't seem to show up in message traces -- at least as far as I can tell. (If this is documented somewhere please point this out to me.)

 

I'd like to be able to report on the total number of messages that entered the moderation workflow, how many were approved, denied, and timed out (the approver took no action). I'd also like the ability to capture a reason for the approval or denial action. 

 

Anyone? Is any of this partially possible?

 

Brian Clark

3 Replies
Not sure what exactly you mean about "moderation", there is no such functionality in DLP. Do you perhaps mean the override? Or just plain regular moderation for user mailboxes/DLs?

Reporting wise, Alerts should be your primary source, DLP-wise. You can also use the Activity explorer in the Compliance center: https://compliance.microsoft.com/datalossprevention?viewid=activitiesexplorer
The Unified audit log will contain all the events corresponding to actions taken by the user and/or any approver involved, and there are few other bits you can extract from the old SCC: https://protection.office.com/reportv2?id=DlpAllPolicyMatches&pivot=Source

@Vasil Michev 
Thanks for your response. The "moderation" feature we are using is the DLP Action "Forward the message for approval to specific approvers". See attached DLP approval workflow screenshot to see how this option looks in my tenant. 

 

The term "moderation" comes from the "ExModerate" Rule Action that is shown in the DLP event Activity Details screen in the Data Loss Prevention Activities Explorer. See attached DLP exmoderate screenshot to see how this looks in my tenant. 

 

As you can see from the Activity Details, you are unable to see the result of the ExModerate Rule Action. Did the approver approve or deny the message? I cannot see that in the Activity Details.

 

I have also looked in my DLP Alerts and have not been able to find out the approval/denial action. 

 

Any other ideas on where I can get this information?

 

Thanks,

Brian

 

 

Uh, totally forgot there are Exchange-specific actions in Unified DLP, and I just played with them few weeks ago. In any case, the best way to find the info is by checking the message trace. "SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}" is the arbitration mailbox responsible for moderation requests, and the subject of the message will rely whether a given request was approved or denied.

Getting the actual reply is a bit trickier, as it gets automatically purged once it hits the system mailbox. So your only options there are eDiscovery/Search-Mailbox. Or maybe configure a transport rule to automatically BCC someone on moderation requests, so you can keep a track.