Data Loss Prevention Notification Limitations

%3CLINGO-SUB%20id%3D%22lingo-sub-30513%22%20slang%3D%22en-US%22%3EData%20Loss%20Prevention%20Notification%20Limitations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-30513%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20there%20a%20limit%26nbsp%3Bfor%20the%20amount%20incident%20reports%20and%20notification%20emails%20generated%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-30513%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECompliance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDLP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-30793%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Data%20Loss%20Prevention%20Notification%20Limitations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-30793%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F60%22%20target%3D%22_blank%22%3E%40Juan%20Carlos%20Gonz%C3%A1lez%20Mart%C3%ADn%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20tested%20DLP%20on%20a%20really%20small%20scale%20initially%20looking%20for%20any%20US%20financial%20or%20HIPPA%20related%20data%20without%20setting%20confidence%20levels.%20Email%2C%20policy%20tips%20turned%20on%2C%20and%20configured%20the%20incident%20report.%20Applied%20this%20policy%20to%20a%20single%20SharePoint%20site%20and%20OneDrive%20account.%20It%20flagged%20nearly%20every%20document%20we%20expected%20and%20sent%20the%20incident%20reports%20without%20issue%20and%20%26nbsp%3Bas%20well%20as%20the%20notification%20to%20the%20site%20owner.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20the%20bigger%20scale%20we%20split%20out%20the%20policy%20to%20have%20one%20for%20SharePoint%20and%20one%20for%20OneDrive%20for%20Business.%20Both%20policies%20having%20one%20singular%20rule%20looking%20for%20any%20US%20financial%20or%20HIPPA%20related%20data%20without%20setting%20condfidence%20levels.%20Of%20course%20this%20brought%20back%20thousands%20of%20possible%20policy%20violating%20documents.%20Unfortunately%2C%20the%20amount%20of%20incident%20reports%20sent%20were%20about%2023%2C%20at%20most.%20I%20checked%20message%20trace%20to%20see%20if%20it%20was%20possible%20these%20messages%20were%20going%20in%20to%20Junk%20or%20Clutter%20but%20that%20was%20not%20the%20case.%20The%20reports%20claim%20the%20action%20to%20generate%20incident%20reports%20have%20happened%20so%20it%20seems%20they%20just%20aren't%20being%20sent%20out.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20thought%20perhaps%20there%20was%20a%20limitation%20on%20reports%20being%20sent%20so%20I%20have%20broken%20policies%20down%20even%20further%20having%20a%20financial%20policy%20having%202%20rules(low%2C%20high)%20for%20each%20SharePoint%20and%20OneDrive%20and%20applied%20confidence%20levels%20to%20each.%20Still%20the%20amount%20of%20incident%20reports%20generated%20was%20high%20and%20incident%20reports%20sent%20out%20little%20to%20none.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-30656%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Data%20Loss%20Prevention%20Notification%20Limitations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-30656%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20might%20help%20if%20you%20give%20us%20some%20more%20detail%20on%20the%20question.%20What%20Juan%20said%20is%20true%20afaik%2C%20there%20are%20no%20limits.%20If%20you%20do%20want%20to%20limit%20the%20number%20of%20emails%20generated%2C%20you%20can%20configure%20alert%20limits%20via%20the%20Advanced%20Security%20Management%20feature%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-30560%22%20slang%3D%22en-US%22%3ERE%3A%20Data%20Loss%20Prevention%20Notification%20Limitations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-30560%22%20slang%3D%22en-US%22%3EI'm%20not%20aware%20of%20any%20limitations%20in%20regards%20of%20e-mails%20and%20incident%20reports.%20By%20the%20way%2C%20adding%20some%20folks%20to%20comment%20on%20this%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64%22%20target%3D%22_blank%22%3E%40Tony%20Redmond%3C%2FA%3E%3C%2FLINGO-BODY%3E
Deleted
Not applicable

Is there a limit for the amount incident reports and notification emails generated?

3 Replies
I'm not aware of any limitations in regards of e-mails and incident reports. By the way, adding some folks to comment on this @Vasil Michev @Tony Redmond

It might help if you give us some more detail on the question. What Juan said is true afaik, there are no limits. If you do want to limit the number of emails generated, you can configure alert limits via the Advanced Security Management feature

Thank you @Juan Carlos González Martín.

 

@Vasil Michev 

We tested DLP on a really small scale initially looking for any US financial or HIPPA related data without setting confidence levels. Email, policy tips turned on, and configured the incident report. Applied this policy to a single SharePoint site and OneDrive account. It flagged nearly every document we expected and sent the incident reports without issue and  as well as the notification to the site owner.

 

For the bigger scale we split out the policy to have one for SharePoint and one for OneDrive for Business. Both policies having one singular rule looking for any US financial or HIPPA related data without setting condfidence levels. Of course this brought back thousands of possible policy violating documents. Unfortunately, the amount of incident reports sent were about 23, at most. I checked message trace to see if it was possible these messages were going in to Junk or Clutter but that was not the case. The reports claim the action to generate incident reports have happened so it seems they just aren't being sent out.

 

I thought perhaps there was a limitation on reports being sent so I have broken policies down even further having a financial policy having 2 rules(low, high) for each SharePoint and OneDrive and applied confidence levels to each. Still the amount of incident reports generated was high and incident reports sent out little to none.