Decrypt Journal Message DLP

Question

Hello! We are currently in the process of setting up our first DLP policy for sensitive information. Everything seems to be working well, except for 1 issue. We have a specific group of people who's emails are journaled out to a third party. I cannot seem to figure out how to get these messages decrypted.

We do have this set. Set IRM Configuration - Journal Report Decryption Enabled $true

I have tried making Not statements, and add in a rule in the policy if sent from inside to the journal address remove the encryption... Nothing.

Any suggestions or pointers?

Thank you!

miller34mike · Answer

Hi&nbsp;mlittman&nbsp;&nbsp;You could be looking at a priority order issue here. Where in the list of policies/rules does the exception for journal group lie?

mlittman · Answer

miller34mike&nbsp;&nbsp;Hello! I had it second rule after the first one which was to check for sensitive info and encrypt. Then the next rule was unless its from inside to the journal address, then decrypt it. I removed it this morning as it has been in place for couple days and wasn't doing anything so back at the drawing board. This is how the current policy looks (attaching pic). In the main rule i have tried to add the journal address and domain with the rest of my NOT objects as well and it did not work.&nbsp;&nbsp;

miller34mike · Answer

Hi&nbsp;mlittman&nbsp;&nbsp;So, when you say not working, do you mean that all emails, even to the exclusions in the new policy are being encrypted? Or no email is being encrypted?

mlittman · Answer

miller34mike&nbsp;So in the screenshot, that is our main policy I have been testing and adding on to. It works great. I have had to add exclusions (the NOT part) for some domains we use and everything is working good. Where I am running into trouble now is, that we have an transport rule that sends emails from a specific set of users off to a third party site via journaling. Those emails are encrypting. I cant figure out how to get the emails to that specific location without being encrypted. Hope that helps? (i have tried to add that journal domain and address in the current rule with the other domains and it did not work). I tried to make an additional rule below the rule in the screenshot to decrypt any messages from internal to the specific journal address and or domain and still encrypts the journaled email.

miller34mike · Answer

mlittman&nbsp;&nbsp;Got it, so where is the transport rule configured? Seems like it's exchange online mail flow rule, but I don't want to be mistaken on that assumption.&nbsp;If I'm right, is there anything in your mail flow rules that enforces encryption?

Forum Discussion

Decrypt Journal Message DLP

Share

Resources