Create DLP rule / alerts for specific activities

%3CLINGO-SUB%20id%3D%22lingo-sub-3350389%22%20slang%3D%22en-US%22%3ECreate%20DLP%20rule%20%2F%20alerts%20for%20specific%20activities%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3350389%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20trying%20to%20create%20alert%20from%20activites%20that%20-%20in%20themselves%20-%20are%20not%20dangerous.%20For%20example%3A%20alert%20when%20a%20document%20with%20Credit%20Cards%20numbers%20is%20discovered%2C%20alert%20when%20someone%20uploads%20a%20document%20to%20an%20approved%20web%20service%20(don't%20ask%20me%20why%2C%20it's%20my%20client%20wish).%3C%2FP%3E%3CP%3EIs%20that%20even%20possible%20%3F%20And%20if%20it%20is%2C%20how%20do%20I%20implement%20such%20rules%20%3F%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20new%20to%20Compliance%2C%20I%20apology%20in%20advance%20for%20asking%20something%20that%20may%20be%20obvious.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EP.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3350389%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EInformation%20Protection%20and%20Governance%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3377996%22%20slang%3D%22en-US%22%3ERe%3A%20Create%20DLP%20rule%20%2F%20alerts%20for%20specific%20activities%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3377996%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F749001%22%20target%3D%22_blank%22%3E%40PhilippeAugras%3C%2FA%3E%2C%3CBR%20%2F%3E%3CBR%20%2F%3EYes%20these%20things%20are%20possible%2C%20depending%20on%20the%20product%20set%20and%20licensing%20of%20your%20client's%20environment.%3CBR%20%2F%3E%3CBR%20%2F%3ECredit%20cards%20are%20a%20pre-defined%20sensitive%20information%20type%20(SIT)%20in%20Microsoft%20Information%20Protection%20(MIP)%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fsensitive-information-type-entity-definitions%3Fview%3Do365-worldwide%23credit-card-number%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fsensitive-information-type-entity-definitions%3Fview%3Do365-worldwide%23credit-card-number%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20can%20consume%20SITs%20in%20Data%20Loss%2FLeakage%20Policies%20(DLP).%20For%20example%2C%20you%20can%20create%20a%20DLP%20policy%20from%20a%20template%20here.%20%3CA%20href%3D%22https%3A%2F%2Fcompliance.microsoft.com%2Fdatalossprevention%3Fviewid%3Dpolicies%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fcompliance.microsoft.com%2Fdatalossprevention%3Fviewid%3Dpolicies%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20credit%20cards%20you%20can%20use%20the%20Financial%20category%2C%20PCI%20DSS%20template.%20Alerts%20are%20one%20of%20the%20options%20under%20Protection%20actions%20in%20the%20DLP%20policy%20wizard.%3CBR%20%2F%3E%3CBR%20%2F%3EAs%20for%20%22alert%20on%20upload%20of%20any%20document%20to%20an%20approved%20web%20service%22%2C%20there%20are%20probably%20several%20ways.%20Microsoft%20Defender%20for%20Cloud%20Apps%20(MDCA%2C%20formerly%20MCAS)%20may%20be%20one%20answer.%20This%20seems%20an%20unusual%20use%20case%20that%20might%20drown%20your%20client%20in%20alerts%2C%20but%20I%20note%20this%20has%20clearly%20occurred%20to%20you%20already.%20Personally%20I%20would%20be%20inclined%20to%20revisit%20the%20%22why%22%20part%20with%20your%20client%20and%20see%20if%20there%20is%20a%20better%20solution%20than%20an%20alert%20for%20every%20occurrence%20and%20how%20they%20intend%20to%20respond%20to%20the%20alerts.%20Can%20you%20say%20what%20the%20approved%20web%20service%20is%3F%20If%20so%2C%20depending%20on%20what%20it%20is%20I%20might%20be%20able%20to%20give%20specific%20instructions%20for%20setting%20it%20up.%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%2C%20Ash%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

 

I'm trying to create alert from activites that - in themselves - are not dangerous. For example: alert when a document with Credit Cards numbers is discovered, alert when someone uploads a document to an approved web service (don't ask me why, it's my client wish).

Is that even possible ? And if it is, how do I implement such rules ? 

I'm new to Compliance, I apology in advance for asking something that may be obvious.

 

Regards,

 

P.

1 Reply
Hi @PhilippeAugras,

Yes these things are possible, depending on the product set and licensing of your client's environment.

Credit cards are a pre-defined sensitive information type (SIT) in Microsoft Information Protection (MIP) https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitive-information-type-entity-definiti...

You can consume SITs in Data Loss/Leakage Policies (DLP). For example, you can create a DLP policy from a template here. https://compliance.microsoft.com/datalossprevention?viewid=policies

For credit cards you can use the Financial category, PCI DSS template. Alerts are one of the options under Protection actions in the DLP policy wizard.

As for "alert on upload of any document to an approved web service", there are probably several ways. Microsoft Defender for Cloud Apps (MDCA, formerly MCAS) may be one answer. This seems an unusual use case that might drown your client in alerts, but I note this has clearly occurred to you already. Personally I would be inclined to revisit the "why" part with your client and see if there is a better solution than an alert for every occurrence and how they intend to respond to the alerts. Can you say what the approved web service is? If so, depending on what it is I might be able to give specific instructions for setting it up.

Thanks, Ash