Sep 02 2022 06:22 AM
There are 3 important parts of a DLP policy. First is the DLP policy itself. The second is the rules. Lastly, is the sensitive info types. We are going to take these backward.
The Sensitive info type is the content that is being looked for. It can be a keyword, for example: "credit card number" or "cc", or it can be a regular expression, for example, "\d{3}-\d{5}-\d{5}", which tells Microsoft to look for 3 digits, a dash (-), 5 digits, a dash (-), and then 5 digits. There are also built-in functions that Microsoft has provided. Microsoft has provided several sensitive info types to help you get started.
Next, is the Rule. Rules combine the sensitive info types and what happens when you find it. For example, you can create a rule that searches for the sensitive info type or credit card information, and when it's found, it blocks it from being sent outside the organization. Or you can create a rule that searches for passport ID numbers and notifies the sender and admins that the content is being sent. A Rule can contain multiple sensitive info types but the actions that are applied when the content is found must be the same.
Finally is the DLP policy. The DLP policy says "where to search for" and what rules to apply to that location. For example, I can create a DLP policy that searches all Exchange emails for a rule that searches for credit card information and blocks it from going outside the organization. Or I can create a DLP policy that has multiple rules in it. For example, I can create a DLP policy that searches all of OneDrive. Then have 1 rule that looks for and blocks any social security numbers from being sent outside the company. And another rule that searches for credit card numbers and allows the content to be sent but notifies admins that it's being sent.
In short, a sensitive info type is "what to search for". Rules say "When content contains these sensitive info types apply these actions". DLP policies define what rules are applied to what locations.
Preventing accidental and malicious data loss with DLP policies