Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

UNIFIED DLP and limits using ETR based moderation

Copper Contributor

Hi MS 365 DLP experts,

I am working on tactical project to meet some FINRA requirements for my customer prior to year-end.  This quick project is a DLP implementation to protect against Messaging based content leaving the organization unexpectedly. After, in January I will deliver a full Security & Compliance project to enable MS 365 E5 capabilities for them.

 

Based upon the results of my testing and many recently updated Microsoft documentation snippets it is very clear that DLP for Messaging is still under development and hopefully we should continue to expect more changes.  While in the last few month Unified DLP picked up support for a larger number of Sensitive Info Types and for the messaging workload some missing legacy Exchange ETR actions like “Moderator Approval” have appeared.  

 

Unfortunately my current DLP solution using UNIFIED appears to have feet in both worlds which results in some limitations.   

 

  1. Will UNIFIED DLP for Exchange replace the Moderation function with a full solution under Compliance?
  2. Will UNIFIED DLP provide RBAC based data administration based limited by specific policy in the future? Similar to what you can do with Communication Compliance policies?

 

UNIFIED DLP Gaps so far:

 

  • While the divisional level DLP policies are created in the https://compliance.microsoft.com/datalossprevention the rule sets we defined to meet the customer requirements depend on the Moderation “Forward the message for approval to specific approvers” action that is currently provided via Exchange system Arbitration mailboxes.
    • The divisional personal assigned to be moderation approvers as pseudo “Data Reviewers’ (not RBAC based) will be opening a dedicated mailbox under DELEGATION named like “Division DLP Review”.  In this mailbox opened via delegation from the users standard account they will be able to view Incident Report messages, view and act upon “moderation approval messages”
      • The “Approval” action does not allow the approver to provide justification comments.  Neither does “Reject”.   There is a “Reject and Edit response” that would allow comments to be sent back to the original Sender when rejected.
        • All Approvals \ Rejects should allow comments to be REQUIRED
      • Logging \ Auditing the message approval \ rejection:
        • Via the new Exchange Message Trace UI, currently to rationalize the data that is related to a specific alerts would require multiple Message Traces to be able to review a complete message transport Send\DLP Inspect\Moderation Approve\Reject or Deliver” log record. It would all be manual.
        • Pulling \ Pushing all “Message Tracking” logs into a SIEM with customized reports built for DLP tracing would be of much value in the future while legacy Exchange infrastructure is used.
  • Unified Alerts, approvals \ rejections and reports
    • DLP logging is not real time (yet). I assume this is because of the current dependency on legacy Exchange.
    • The new Compliance Alerts (Preview)  console has methods for managing and assigning the UNIFIED alert.  Appears to have little value for the current scenario.
    • UNIFIED does not have its own moderation engine or quarantine location today and does not integrate with the ETR mailbox based moderation mechanisms.
    • In the new Microsoft 365 Compliance portal and the existing Office 365 Security & Compliance portals we have DLP charts, alerts and reports.  But not much is usable here for the departmental “Data Reviewers” roles today under the ETR \ UNIFIED legacy policy as described above. 

-Stu

 

1 Reply
I want to add my interest in the Logging \ Auditing the message approval \ rejection issue. Being able to provide basic reporting is essential, such as on how many total messages entered the approval workflow, how many were approved, how many were denied, and on how many timed out (approver took no action).

How do we get a feature request in for this?

Brian Clark