We have a simple requirement, and are hoping someone can assist us:
Notify the DLPAdministrator when anyone in the company sends an email containing more than 10 credit card numbers to an external recipient, except if the email is sent from our CustomerService email account.
This is how we have configured our DLP Policy:
Name: PCI DSS Policy
Locations: Exchange Email (status = on). Included = All, Excluded = None. All other locations are Off.
Customize advanced DLP rules:
Conditions > Content Contains > Sensitive Info Types > Credit Card Number > High Confidence > Instance count 10 to Any
Content is shared from Microsoft 365 > with people outside my organization
Exceptions > except if sender is > CustomerService@myorganisation.com
Incident Reports > Send an alert to admins when a rule match occurs = On
Send alert every time an activity matches the rule (selected)
Turn policy on right away (selected).
However, everytime an email is sent from CustomerService@myorganisation.com to an external 'gmail' recipient containing credit card numbers, the DLPAdministrator get notified. The DLP Rule is not working.
We thought the 'exceptions' setting in the DLP rule would work as expected, and not notify the DLPAdministrator.