Announcing support for custom sensitive information types in the Security & Compliance Center

Microsoft

Wesley Holley is a program manager on the Office 365 team.

 

Core to protecting your organization’s data is identifying which data is sensitive and creating policies to govern its use.  We include over 80 sensitive information types out of the box to detect commonly used data types in regions around the globe; however, some information is proprietary in nature and is specific to your organization.  For example, your organization may need to protect employee ID numbers or other data with unique characteristics.  To better help you meet your data protection needs, we’re pleased to announce that you can now create your own custom sensitive information types for use in your Security & Compliance Center policies.

Sensitive Type View.png

 

Where can I use custom sensitive types?

Previously only available for Exchange Online, this capability is now available across Exchange Online, SharePoint Online, OneDrive for Business, Outlook (2013+), OWA, Office Clients (ProPlus/2016), and supported mobile apps.  Now you can define the kinds of data you want to detect by creating your own sensitive types or modifying any of our out-of-box definitions.  Once defined in XML and uploaded to the Security & Compliance Center, your custom sensitive information types can be used in any of your DLP or Retention policies or eDiscovery queries, where we’ll automatically identify and protect your data across Office 365.  While managed in the Security & Compliance Center, custom sensitive types will still be available for use in Exchange Transport rules (ETRs) which are created in the Exchange Admin Center (EAC).

 

What kinds of data can I protect?

We provide a rich set of capabilities for you to detect your sensitive information including regular expressions, keyword lists, and built-in functions, along with a robust framework in which define your detection requirements.  To help you balance user productivity and risk of data exposure, we also allow you to create different versions of your sensitive types, varying in strictness, and trigger off them separately in your policy rules.  For example, a pattern alone might be a false positive, but if you’re risk averse, you may want to at least log the match or get a report when detected; however, if the pattern is found with other evidence like keywords or other patterns, you may want to take a more strict action such as encrypting the content.  We’ve designed this feature to give you the maximum flexibility possible.

 

What about my existing custom sensitive types in Exchange?
Any custom sensitive information types you’ve created in Exchange Online have been automatically migrated to the Security & Compliance Center.  Your existing policies or Exchange Transport Rules that use those custom sensitive types will continue to function normally.  Going forward you can manage all custom sensitive types in the Security & Compliance Center.
We’re excited to bring this powerful capability to the Security & Compliance Center and can’t wait for you to try it out! For more information, check out this article.

15 Replies
Hi Wesley, When is this expected to rollout? We have custom sensitive data in Exchange Online, but we dont yet see it in the Security and Compliance center yet.

Hi Dale,

 

This has already rolled out to all customers.  Like in Exchange, the feature is currently accessible via PowerShell.  Just connect to the Security & Compliance Center using remote PowerShell where you can use the New/Get/Set/Remove-DlpSensitiveInformationTypeRulePackage cmdlet to upload and manage your custom sensitive information types.  The structure of the XML has not changed from Exchange, just the cmdlet name.  Full instructions are in the article linked above.  Let me know if you have any trouble seeing or using the feature.


@Wesley Holley wrote:

This has already rolled out to all customers.


Available for G3????

 

 

 

All premium SKUs (E3+).  @Adam Jung may have a specific list of all included SKUs.

Yes, this should be available for G3 as well.


@Adam Jung wrote:

Yes, this should be available for G3 as well.


Not in out G3 tenant.

I can see the list of Sensitive Information Types, but there is no way to create customized ones as in the screen shot at the top of this thread.

Note that that ability to create a custom sensitive information type isn't in the UI, so you won't see it there. It has to be created in XML, and once uploaded to the Security & Compliance Center you should see it listed in the UI. More details in the article here.

I tried the command, but got the following message:

New-DlpSensitiveInformationTypeRulePackage : The term 'New-DlpSensitiveInformationTypeRulePackage' is not recognized as the name of a cmdlet, function, script file, or operable program.

Hi Wesley,

 

Would this also work for the fingerprint? How do we reference for fingerprint the template we want to compare with? Can we extract the XML from Exchange Online fingerprint and add it to SCC? Or how do you recommend to build a custom sensitive information for fingerprint? Is there any limitation between fingerprint on Exchange Online vs. SCC?

 

Thank you very much

Hi Wesley, is there any chance the list of sensitive information types will be updated/ expanded? Especially with upcoming GDPR  European Union (EU) privacy regulation in mind. E.g. nationalities or other privacy sensitive information. Maybe additional packages can be bought or supplied by partners? 

 

Thanks in advance,

Jeroen

Hi Jeroen,

 

Yes are adding to the list in the coming months to meet GDPR requirements.  This will be included out of the box.  I believe Nucleuz.com also provides a GDPR rulepack you can purchase.

 

Thanks,

Wes

Hi Jacques,

 

Great question.  Fingerprinting is currently only supported in Exchange and can be created and managed in the Exchange Admin Center.  We are working to add support for them within the SCC, but I don't have a date to share quite yet.  Please let me know if you have additional questions.

 

Thanks,

Wes

Hi Daniel, you need connect to SCC service, not EAC. After you import your Rulepack you need wait around 15 minute to sync the new sensitive information types from SCC to EAC.

Hi Wesley, earlier this year add added a number of DLP policies based on file properties (tags put in there by AIP (in office files). However since the move to Security & Compliance I can no longer adapt/update (or add new) DLP policies based on file tags. Is there a way to add this kind of what is basically word detection method (but not in file content but in file properties) via the sensitive  information types, if so what is a simple way to do it. 

Help is really welcome as I can for a months already not even update existing dlp policies due to this change.

Hi Eddy, you're right that the SCC doens't show this option in the UX yet, but you are still able to edit/add/remove these tags.  Here are the instructions: https://support.office.com/en-us/article/Create-a-DLP-policy-to-protect-documents-with-FCI-or-other-...