May 17 2023 03:33 AM
I created endpoint DLP policy to block copying data to USB devices , the condition i used is file types and i include all office documents and pdf. the policy is working on pdf but not applied to office documents.
May 25 2023 02:19 AM
If you go to activity explorer, do you see the office files showing up as DLP Rule Match or as the "File copied to removeable media" action?
May 29 2023 05:50 AM - edited May 29 2023 05:51 AM
No it is not showing DLP Rule Match , its showing File copied to removeable media.
i attach both events the PDF and DOCX
thanks
Jun 02 2023 05:04 AM
Jun 06 2023 03:07 AM
Jun 08 2023 04:45 AM
@ALI_hamed17 I just had a case with MS regarding the same issue. They advised that in order for the policy to trigger, the document must be classified by their classification engine. This engine is triggered by different actions taken on the document (open, close, save, download....) so if you have a file, at rest, on your device this won't be seen by the classification engine. You will be able to copy it on the removable media and if you delete it and try to paste it again, the action will trigger the DLP policy and block the copy operation.
I hope this helps!