SOLVED

O365 DLP Policy Setup

New Contributor

I setup a custom DLP policy for US PII data that generates incident reports if a sensitive information was present in the email. Is there a configuration where if an email is encrypted as an exception to the rule, it will not trigger the report. 

The idea is if an email message is encrypted, it will not generate an incident report.


Current setup:

Rule consists of

 if message contains sensitive information and shared outside organization

except if message type is encrypted

stop processing additional dlp policies and rules if there's a match for this rule.

kengab_0-1626793248934.png

But it appears the exception is not working.

 

Note: Testing the "Encrypt only" feature.

 

Thanks,

Kennie

 

 

6 Replies
I'm in the exact same spot and confirm the rule exception is not working in my environment, either. Setting the "message type is" to another option (tested with meeting invites) does work, so the rule logic itself operates, it just doesn't detect encrypted messages as one would expect.
Upvote, sames
best response confirmed by kengab (New Contributor)
Solution

@kengab try setting Message Type is: Permission Controlled - that did the trick on my setup.

jrodriguezAP_0-1637099161141.png

 

I tried that. Didn’t work. What did work is creating a blank rule at position zero which identifies encrypted messages and does nothing to them. The “except” for encrypted or protected messages doesn’t work.
Ah, gotcha. can't say i tested the except within a rule. I designed my policies similar to how you're describing: i have a first-order policy with however many rules in there as positive finds, bypassing any other DLP if triggered, then actual DLP handling in a separate policy afterwards.

Out of curiosity, are you using DLP controls via Labels or Outlook Message Encryption (say a Transport rule, for example)? I'm stuck with the latter until I can migrate us to Labels, and i suspect that's part of the issue with detecting protected messages.
Hi there,

With my current DLP setup,
I have separated and move my DLP policy for exchange in mail transport rule and I have DLP policy for Sharepoint/Teams/OneDrive in Security and Compliance.

The reason I move DLP for exchange in transport rule is that, I can move them in quarantine for review so I know what are being detected as false positives. The only problem with that is, emails that I released from quarantine were requarantined so I have to release the email twice every time. Anyone experience this?