Azure DLP Exclusions

%3CLINGO-SUB%20id%3D%22lingo-sub-2385945%22%20slang%3D%22en-US%22%3EAzure%20DLP%20Exclusions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2385945%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20simple%20requirement%2C%20and%20are%20hoping%20someone%20can%20assist%20us%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3ENotify%20the%20DLPAdministrator%20when%20anyone%20in%20the%20company%20sends%20an%20email%20containing%20more%20than%2010%20credit%20card%20numbers%20to%20an%20external%20recipient%2C%20except%20if%20the%20email%20is%20sent%20from%20our%20CustomerService%20email%20account.%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20how%20we%20have%20configured%20our%20DLP%20Policy%3A%3C%2FP%3E%3CP%3E%3CSTRONG%3EName%3A%3C%2FSTRONG%3E%20PCI%20DSS%20Policy%3C%2FP%3E%3CP%3E%3CSTRONG%3ELocations%3A%3C%2FSTRONG%3E%20Exchange%20Email%20(status%20%3D%20on).%20Included%20%3D%20All%2C%20Excluded%20%3D%20None.%20All%20other%20locations%20are%20Off.%3C%2FP%3E%3CP%3E%3CSTRONG%3ECustomize%20advanced%20DLP%20rules%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3E%26nbsp%3B%20Rule%201%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3E%26nbsp%3B%20Conditions%3C%2FSTRONG%3E%20%26gt%3B%20Content%20Contains%20%26gt%3B%20Sensitive%20Info%20Types%20%26gt%3B%20Credit%20Card%20Number%20%26gt%3B%20High%20Confidence%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26gt%3B%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3BInstance%20count%2010%20to%20Any%3C%2FP%3E%3CP%3E%3CSTRONG%3EAND%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3EContent%20is%20shared%20from%20Microsoft%20365%20%3C%2FSTRONG%3E%26gt%3B%20with%20people%20outside%20my%20organization%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EExceptions%20%26gt%3B%20%3C%2FSTRONG%3Eexcept%20if%20sender%20is%20%26gt%3B%20CustomerService%40myorganisation.com%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EIncident%20Reports%20%3C%2FSTRONG%3E%26gt%3B%20Send%20an%20alert%20to%20admins%20when%20a%20rule%20match%20occurs%20%3D%20On%3C%2FP%3E%3CP%3E%3CSTRONG%3ESend%20email%20alerts%20to%20these%20people%20%3C%2FSTRONG%3E%26gt%3B%20%3CA%20href%3D%22mailto%3ADLPAdministrator%40myorganisation.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EDLPAdministrator%40myorganisation.com%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3ESend%20alert%20every%20time%20an%20activity%20matches%20the%20rule%20(selected)%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ETurn%20policy%20on%20right%20away%20(selected).%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20everytime%20an%20email%20is%20sent%20from%26nbsp%3B%3CA%20href%3D%22mailto%3ACustomerService%40myorganisation.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3ECustomerService%40myorganisation.com%3C%2FA%3E%26nbsp%3Bto%20an%20external%20'gmail'%20recipient%20containing%20credit%20card%20numbers%2C%20the%20DLPAdministrator%20get%20notified.%20The%20DLP%20Rule%20is%20not%20working.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20thought%20the%20'exceptions'%20setting%20in%20the%20DLP%20rule%20would%20work%20as%20expected%2C%20and%20not%20notify%20the%20DLPAdministrator.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDid%20we%20misunderstand%20something%3F%3C%2FP%3E%3CP%3EDid%20we%20misconfigure%20something%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%2C%3C%2FP%3E%3CP%3EShim%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2385945%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Contributor

Hi,

 

We have a simple requirement, and are hoping someone can assist us:

 

Notify the DLPAdministrator when anyone in the company sends an email containing more than 10 credit card numbers to an external recipient, except if the email is sent from our CustomerService email account. 

 

This is how we have configured our DLP Policy:

Name: PCI DSS Policy

Locations: Exchange Email (status = on). Included = All, Excluded = None. All other locations are Off.

Customize advanced DLP rules:

  Rule 1

  Conditions > Content Contains > Sensitive Info Types > Credit Card Number > High Confidence      >     Instance count 10 to Any

AND

Content is shared from Microsoft 365 > with people outside my organization

 

Exceptions > except if sender is > CustomerService@myorganisation.com

 

Incident Reports > Send an alert to admins when a rule match occurs = On

Send email alerts to these people > DLPAdministrator@myorganisation.com

Send alert every time an activity matches the rule (selected)

 

Turn policy on right away (selected).

 

However, everytime an email is sent from CustomerService@myorganisation.com to an external 'gmail' recipient containing credit card numbers, the DLPAdministrator get notified. The DLP Rule is not working.

 

We thought the 'exceptions' setting in the DLP rule would work as expected, and not notify the DLPAdministrator.

 

Did we misunderstand something?

Did we misconfigure something?

 

Thank you,

Shim

 

0 Replies