Using PowerSehll to create DLP Policy Rules

%3CLINGO-SUB%20id%3D%22lingo-sub-127351%22%20slang%3D%22en-US%22%3EUsing%20PowerSehll%20to%20create%20DLP%20Policy%20Rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-127351%22%20slang%3D%22en-US%22%3E%3CP%3ECan%20anyone%20point%20me%20to%20more%20in%20depth%20information%20than%20what%20is%20presented%20in%20the%20New-DLPComplainceRule%20documentation%20on%20TechNet%3F%26nbsp%3B%20I'm%20trying%20to%20create%20some%20complex%20policies%20using%20PowerShell.%26nbsp%3B%20I've%20got%20it%20working%20for%20a%20simple%20Policy%20with%20multiple%20rules%20using%20an%20%22OR%22%20operator.%26nbsp%3B%20But%20if%20you%20switch%20the%20rules%20to%20use%20an%20%22And%22%20operator%20or%20create%20Groups%20of%20Rules%20with%20either%20an%20%22and%22%20or%20an%20%22or%22%20operator%20I%20can't%20seem%20to%20get%20the%20syntax%20of%20the%20-ContentContainsSensitiveInformation%20parameter%20right.%26nbsp%3B%20To%20do%20multiple%20rules%20you%20need%20to%20do%20an%20array%20of%20hashlists.%26nbsp%3B%20That%20works.%26nbsp%3B%20To%20do%20multiple%20rules%20with%20an%20%22And%22%20that%20property%20will%20end%20up%20with%20an%20array%20of%20hashlists%20where%20the%20hashlist%20is%20itself%20an%20array%20of%20hashlists.%26nbsp%3B%20Add%20in%20Groups%20and%20you%20get%20three%20levels.%26nbsp%3B%20But%20when%20I%20do%20that%20nesting%20I%20get%20an%20error%20saying%20%22Property%20'sensitivetypes%2C%20labels'%20value%20is%20not%20expected%20to%20be%20null.%22%26nbsp%3B%20The%20sensitivetypes%20property%20is%20one%20of%20the%20lower%20level%20hashlists.%26nbsp%3B%20But%20I%20don't%20see%20a%20labels%20value%20that%20can%20be%20set.%26nbsp%3B%20Anyone%20have%20documentation%20or%20a%20working%20example%20of%20a%20New-DLPCompliancePolicyRule%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-127578%22%20slang%3D%22en-US%22%3ERE%3A%20Using%20PowerSehll%20to%20create%20DLP%20Policy%20Rules%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-127578%22%20slang%3D%22en-US%22%3EI%20was%20able%20to%20find%20the%20solution%20for%20my%20issue.%20Essentially%20there%20are%20two%20formats%2C%20a%20simple%20one%20and%20a%20complex%20one%20with%20groups%20and%20operators.%20The%20simple%20looks%20like%20this%20from%20a%20high%20level%20(and%20is%20documented%20in%20TechNet%20for%20the%20PowerShell%20command).%20It%20is%20an%20array%20of%20hashlist%20values%20and%20looks%20like%20this%3A%20-ContentContainsSensitiveInformation%20%40(%40%7BName%3D%7BGUID%7D%3B%20Mincount%3D%221%22%3B%20Maxcount%3D%229%22%3B%20Minconfidence%3D%2275%22%3B%20Maxconfidence%3D%22100%22%7D%2C%40%7Banother%20hashlist%20of%20values%7D)%20This%20only%20covers%20the%20case%20where%20there%20are%20one%20or%20more%20Sensitive%20information%20types%20connected%20by%20an%20%22OR%22%20operator%20(which%20is%20the%20default).%20The%20more%20complex%20format%20that%20contains%20one%20or%20more%20groups%20of%20Sensitive%20Information%20types%20is%20three%20layers%20of%20Arrays%20of%20hashlists.%20It%20looks%20like%20this%3A%20-ContentContainsSensitiveInformation%20%40(%40%7Boperator%3D%22And%22%3B%20groups%3D%20%40(%40%7Boperator%3D%22Or%22%3B%20name%3D%22GroupName%22%3B%20sensitivetypes%3D%20%40(%40%7BSame%20Hashlist%20contents%20as%20Sample1%7D%2C%40%7BSame%20Hashlist%20contents%20as%20Sample1%7D)%7D%2C%20%40%7Boperator%3D%22Or%22%3B%20name%3D%22Group%20Name%22%3B%20sensitivetypes%3D%20%40(%40%7BSame%20Hashlist%20contents%20as%20Sample1%7D%2C%40%7BSame%20Hashlist%20contents%20as%20Sample1%7D)%7D)%7D)%20You%20must%20use%20this%20format%20even%20if%20you%20only%20want%20one%20group%20with%20two%20SIs%20connected%20by%20the%20operator%20%22And%22.%20I%20haven't%20found%20any%20documentation%20on%20this%20at%20all%2C%20but%20it%20does%20work.%3C%2FLINGO-BODY%3E
MVP

Can anyone point me to more in depth information than what is presented in the New-DLPComplainceRule documentation on TechNet?  I'm trying to create some complex policies using PowerShell.  I've got it working for a simple Policy with multiple rules using an "OR" operator.  But if you switch the rules to use an "And" operator or create Groups of Rules with either an "and" or an "or" operator I can't seem to get the syntax of the -ContentContainsSensitiveInformation parameter right.  To do multiple rules you need to do an array of hashlists.  That works.  To do multiple rules with an "And" that property will end up with an array of hashlists where the hashlist is itself an array of hashlists.  Add in Groups and you get three levels.  But when I do that nesting I get an error saying "Property 'sensitivetypes, labels' value is not expected to be null."  The sensitivetypes property is one of the lower level hashlists.  But I don't see a labels value that can be set.  Anyone have documentation or a working example of a New-DLPCompliancePolicyRule?

1 Reply
I was able to find the solution for my issue. Essentially there are two formats, a simple one and a complex one with groups and operators. The simple looks like this from a high level (and is documented in TechNet for the PowerShell command). It is an array of hashlist values and looks like this: -ContentContainsSensitiveInformation @(@{Name={GUID}; Mincount="1"; Maxcount="9"; Minconfidence="75"; Maxconfidence="100"},@{another hashlist of values}) This only covers the case where there are one or more Sensitive information types connected by an "OR" operator (which is the default). The more complex format that contains one or more groups of Sensitive Information types is three layers of Arrays of hashlists. It looks like this: -ContentContainsSensitiveInformation @(@{operator="And"; groups= @(@{operator="Or"; name="GroupName"; sensitivetypes= @(@{Same Hashlist contents as Sample1},@{Same Hashlist contents as Sample1})}, @{operator="Or"; name="Group Name"; sensitivetypes= @(@{Same Hashlist contents as Sample1},@{Same Hashlist contents as Sample1})})}) You must use this format even if you only want one group with two SIs connected by the operator "And". I haven't found any documentation on this at all, but it does work.