DLP Exceptions issues

%3CLINGO-SUB%20id%3D%22lingo-sub-2382425%22%20slang%3D%22en-US%22%3EDLP%20Exceptions%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2382425%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20trying%20to%20setup%20a%20DLP%20Policy%20that%20does%20the%20following%3A%3C%2FP%3E%3CP%3E-%20If%20an%20email%20contains%20more%20than%2010%20credit%20card%20numbers%20and%20is%20being%20sent%20to%20an%20external%20email%20address%2C%20notify%20the%20DLPAdmin%20user%2C%20except%20if%20the%20source%20of%20the%20email%20is%20%22customerservice%40ourcompany.com%22.%3C%2FP%3E%3CP%3E%40ourcompany.com%20is%20our%20Azure%20Tenant%20(in%20this%20example).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20we%20have%20created%20a%20new%20DLP%20Policy%2C%20as%20follows%3A%3C%2FP%3E%3CUL%3E%3CLI%3Echoose%20locations%20to%20apply%20the%20policy%3A%20Exchange%20email%20(all%20included%2C%20none%20excluded).%20No%20other%20Location%20is%20selected%3C%2FLI%3E%3C%2FUL%3E%3CP%3ECustomized%20DLP%20Rule%3A%3C%2FP%3E%3CUL%3E%3CLI%3ESensitive%20info%20type%3A%20Credit%20Card%20Number%20(High%20Confidence%2010%20to%20Any)%20AND%3C%2FLI%3E%3CLI%3EContent%20is%20shared%20from%20M365%20%22with%20people%20outside%20my%20organization%22%3C%2FLI%3E%3CLI%3EExcept%20if%20sender%20is%3A%20%22%3CA%20href%3D%22mailto%3Acustomerservice%40company.com%26quot%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ecustomerservice%40ourcompany.com%22%3C%2FA%3E%3C%2FLI%3E%3CLI%3EUser%20notification%20on%3A%20notify%20these%20people%20%2F%20send%20the%20email%20to%20these%20additional%20people%3A%20%3CA%20href%3D%22mailto%3ACISO%40company.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EDLPAdmin%40ourcompany.com%3C%2FA%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3ETurn%20the%20Policy%20on%20right%20away.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E------------%3C%2FP%3E%3CP%3EIMHO%20the%20above%20should%20work...however%2C%20%3CA%20href%3D%22mailto%3ADLPAdmin%40company.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EDLPAdmin%40ourcompany.com%3C%2FA%3E%20always%20gets%20notified%20when%20the%20%3CA%20href%3D%22mailto%3Acustomerservice%40company.com%26quot%3B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ecustomerservice%40ourcompany.com%3C%2FA%3E%20account%20send%20an%20email%20externally%20(and%20contains%2010%20or%20more%20credit%20cards).%20I%20thought%20the%20idea%20of%20the%20'exceptions'%20was%20for%20the%20DLP%20rule%20to%20work%2C%20except%20when%20the%20exclusion%20%3D%20true.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20are%20we%20doing%20wrong%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%2C%3C%2FP%3E%3CP%3ESK%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2382425%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EData%20Loss%20Prevention%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EInformation%20Protection%20and%20Governance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Information%20Protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2398841%22%20slang%3D%22en-US%22%3ERe%3A%20DLP%20Exceptions%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2398841%22%20slang%3D%22en-US%22%3Eit%20doesn't%20sound%20like%20you%20are%20doing%20anything%20wrong.%20can%20you%20upload%20a%20screen%20shot%20to%20confirm%3F%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi,

 

We are trying to setup a DLP Policy that does the following:

- If an email contains more than 10 credit card numbers and is being sent to an external email address, notify the DLPAdmin user, except if the source of the email is "customerservice@ourcompany.com".

@ourcompany.com is our Azure Tenant (in this example).

 

So, we have created a new DLP Policy, as follows:

  • choose locations to apply the policy: Exchange email (all included, none excluded). No other Location is selected

Customized DLP Rule:

  • Sensitive info type: Credit Card Number (High Confidence 10 to Any) AND
  • Content is shared from M365 "with people outside my organization"
  • Except if sender is: "customerservice@ourcompany.com"
  • User notification on: notify these people / send the email to these additional people: DLPAdmin@ourcompany.com

Turn the Policy on right away.

 

------------

IMHO the above should work...however, DLPAdmin@ourcompany.com always gets notified when the customerservice@ourcompany.com account send an email externally (and contains 10 or more credit cards). I thought the idea of the 'exceptions' was for the DLP rule to work, except when the exclusion = true.

 

What are we doing wrong?

 

Thank you,

SK

 

2 Replies
it doesn't sound like you are doing anything wrong. can you upload a screen shot to confirm?

Hi @Joe Stocker,

 

Thank you for taking the time to respond.

I have attached the DLP Policy screenshots.

 

Not sure if its useful, but I am using Outlook Web Access, and not the Outlook client for this setup and testing.

 

Thank you,

Shim