cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community
Find out more

Exchange DLP detection is not working

BaselFawal
Brass Contributor

‎May 03 2023 06:51 AM - edited ‎May 05 2023 05:32 AM

‎May 03 2023 06:51 AM - edited ‎May 05 2023 05:32 AM

Exchange DLP detection is not working

I have a customer that has "Microsoft 365 E5 Information Protection and Governance" Add-on license, they also have the M365 E3 license.

 

We have setup DLP policies in Exchange to detect Credit card numbers, (policy has no actions, no alerts or incident) we just need to see the DLP matches, nothing is showing in Activity explorer or in DLP matches report after many tries.

Also we have another policy to detect in Teams but also nothing is showing in Activity explorer

 

The same policy works fine in another tenant and I could see the detections in the Activity explorer but it has the Full E5.

 

What might be the issue that DLP policies are no showing any activities or detections.

Note: the same policy is working for SharePoint DLP detections

1,802 Views
0 Likes
8 Replies
Reply
8 Replies
IsmKay

‎May 05 2023 02:57 AM - edited ‎May 05 2023 03:04 AM

‎May 05 2023 02:57 AM - edited ‎May 05 2023 03:04 AM

Re: No DLP detection in Activity Explorer or in DLP matches reports

Hi @BaselFawal,

 

There could be several reasons for this. Be sure that DLP policies are correctly configured (number of instances) and enabled from Compliance center only. In addition, confirm that the correct content sources are selected. If you are scanning SPO or OneDrive, this could take time after activating the policy. Finally, test the content if it is detectable directly from the SIT or Classifier that you are using in your DLP rule.

 

Thanks!

 

0 Likes
Reply
BaselFawal

‎May 05 2023 05:30 AM

‎May 05 2023 05:30 AM

Re: No DLP detection in Activity Explorer or in DLP matches reports

Hi @IsmKay
Actually we discovered that DLP is working for SharePoint, we have set up a DLP policy has the three locations, Exchange, SharePoint and Teams, the DLP detections are working For SharePoint, documents uploaded etc.., not for Exchange emails

There is no detection in Activity explorer for Exchange email send and received that contains the same sensitive info as it is one policy.

So now Exchange DLP is not working all mailboxes are migrated to Exchange online
0 Likes
Reply
IsmKay

‎May 05 2023 06:07 AM

‎May 05 2023 06:07 AM

Re: No DLP detection in Activity Explorer or in DLP matches reports

Hi @BaselFawal 

 

If you've created DLP policies in the Exchange admin center, those policies will continue to work side by side with any policies for email that you create in the Compliance portal. But note that rules created in the Exchange admin center take precedence. All Exchange mail flow rules are processed first, and then the DLP rules from the Compliance portal are processed.

It means:

  • Messages that are blocked by Exchange mail flow rules won't get scanned by DLP rules created in the Compliance portal.
  • Messages that are quarantined by Exchange mail flow rules or any other filters run before DLP won't be scanned by DLP.
  • If an Exchange mail flow rule modifies a message in a way that causes it to match a DLP policy in the Compliance portal, such as adding external users, then the DLP rules will detect it and enforce the policy as needed.

Also note that Exchange mail flow rules that use the "stop processing" action don't affect the processing of DLP rules in the Compliance portal - they'll still be processed.

 

https://learn.microsoft.com/en-us/microsoft-365/compliance/how-dlp-works-between-admin-centers?view=...

 

Thanks!

0 Likes
Reply
BaselFawal

‎May 10 2023 09:58 AM

‎May 10 2023 09:58 AM

Re: Exchange DLP detection is not working

Hello the issue has been resolved by opening a ticket with Microsoft to fix something in the backend, also we had to recreate the policies, after that we could see the DLP detection in Exchange and Teams.
0 Likes
Reply
tshinkle1

‎Sep 14 2023 12:29 PM

‎Sep 14 2023 12:29 PM

Re: Exchange DLP detection is not working

@BaselFawal What was the fix in the backend? Our tenant isn't detecting SSNs in attachments to emails using notifications but can detect them in the body or subject. Not sure if this is related? Thx

0 Likes
Reply
BaselFawal

‎Sep 19 2023 10:29 AM

‎Sep 19 2023 10:29 AM

Re: Exchange DLP detection is not working

Hi tshinkle1, it should detect in both the attachment and message body,
you better open a ticket with Microsoft
Just wondering if you have tested the policy for other locations, like SharePoint, I mean uploading a document with SSN in SharePoint site, it should be visible in activity explorer in the DLP.
0 Likes
Reply
Avisheck

‎Sep 29 2023 02:27 AM

‎Sep 29 2023 02:27 AM

Re: Exchange DLP detection is not working

@BaselFawal 
I tried creating EP and Exchange policy with same SIT, but the exchange one is not working whereas the EP one is detecting as expected.

 

Kindly suggest the workaround, I already had a case raised with MS but yet to get a reply.

0 Likes
Reply
kburx1122

‎Nov 09 2023 01:07 PM

‎Nov 09 2023 01:07 PM

Re: Exchange DLP detection is not working

we are experiencing this same issue as well. dropping the file in the SIT works, however the entire email will not flag. @Avisheck 

0 Likes
Reply