cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Exchange Unified DLP Moderation Logging and Reporting

gc-bclark
Copper Contributor

‎Jun 04 2021 09:56 AM - edited ‎Jun 08 2021 06:43 AM

‎Jun 04 2021 09:56 AM - edited ‎Jun 08 2021 06:43 AM

Exchange Unified DLP Moderation Logging and Reporting

Hello, 

We are using Exchange Online Unified DLP Moderation features (the DLP Action "Forward the message for approval to specific approvers") and have not been able to find any reporting capabilities for this feature. Also, the approval / deny actions don't seem to show up in message traces -- at least as far as I can tell. (If this is documented somewhere please point this out to me.)

 

I'd like to be able to report on the total number of messages that entered the moderation workflow, how many were approved, denied, and timed out (the approver took no action). I'd also like the ability to capture a reason for the approval or denial action. 

 

Anyone? Is any of this partially possible?

 

Brian Clark

Labels:
2,003 Views
0 Likes
3 Replies
Reply
3 Replies
Vasil Michev

‎Jun 04 2021 11:29 PM

‎Jun 04 2021 11:29 PM

Re: Exchange Unified DLP Moderation Logging and Reporting

Not sure what exactly you mean about "moderation", there is no such functionality in DLP. Do you perhaps mean the override? Or just plain regular moderation for user mailboxes/DLs?

Reporting wise, Alerts should be your primary source, DLP-wise. You can also use the Activity explorer in the Compliance center: https://compliance.microsoft.com/datalossprevention?viewid=activitiesexplorer
The Unified audit log will contain all the events corresponding to actions taken by the user and/or any approver involved, and there are few other bits you can extract from the old SCC: https://protection.office.com/reportv2?id=DlpAllPolicyMatches&pivot=Source
0 Likes
Reply
gc-bclark

‎Jun 07 2021 12:30 PM

‎Jun 07 2021 12:30 PM

Re: Exchange Unified DLP Moderation Logging and Reporting

@Vasil Michev 
Thanks for your response. The "moderation" feature we are using is the DLP Action "Forward the message for approval to specific approvers". See attached DLP approval workflow screenshot to see how this option looks in my tenant. 

 

The term "moderation" comes from the "ExModerate" Rule Action that is shown in the DLP event Activity Details screen in the Data Loss Prevention Activities Explorer. See attached DLP exmoderate screenshot to see how this looks in my tenant. 

 

As you can see from the Activity Details, you are unable to see the result of the ExModerate Rule Action. Did the approver approve or deny the message? I cannot see that in the Activity Details.

 

I have also looked in my DLP Alerts and have not been able to find out the approval/denial action. 

 

Any other ideas on where I can get this information?

 

Thanks,

Brian

 

 

Preview file
59 KB
Preview file
47 KB
0 Likes
Reply
Vasil Michev

‎Jun 08 2021 12:21 AM

‎Jun 08 2021 12:21 AM

Re: Exchange Unified DLP Moderation Logging and Reporting

Uh, totally forgot there are Exchange-specific actions in Unified DLP, and I just played with them few weeks ago. In any case, the best way to find the info is by checking the message trace. "SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}" is the arbitration mailbox responsible for moderation requests, and the subject of the message will rely whether a given request was approved or denied.

Getting the actual reply is a bit trickier, as it gets automatically purged once it hits the system mailbox. So your only options there are eDiscovery/Search-Mailbox. Or maybe configure a transport rule to automatically BCC someone on moderation requests, so you can keep a track.
1 Like
Reply