New-DlpComplianceRule Parameters with SiteAdmin

%3CLINGO-SUB%20id%3D%22lingo-sub-2596578%22%20slang%3D%22en-US%22%3ENew-DlpComplianceRule%20Parameters%20with%20SiteAdmin%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2596578%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Experts%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUsing%20the%20New-DlpComplianceRule%20cmdlet%2C%20there%20are%20three%20(3)%20parameters%20called%20%22-GenerateAlert%22%2C%20%22GenerateIndidentReport%22%2C%20and%20%22-NotifyUser%22%20and%20one%20of%20the%20valid%20values%20is%20%22SiteAdmin%22.%20See%20this%20article%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Fexchange%2Fnew-dlpcompliancerule%3Fview%3Dexchange-ps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ENew-DlpComplianceRule%20(ExchangePowerShell)%20%7C%20Microsoft%20Docs%3C%2FA%3E).%26nbsp%3B%20When%20this%20parameter%20is%20configured%20(see%20attached%20image)%2C%20where%20does%20this%20alert%2Fnotification%20go%20to%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tested%20sending%2010%20SSN%20numbers%20to%20an%20external%20account%2C%20the%20sender%20gets%20a%20%22%3CSPAN%3EYour%20email%20message%20conflicts%20with%20a%20policy%20in%20your%20organization%22%20email%3B%20which%20is%20expected.%26nbsp%3B%20Global%20admin%20did%20not%20receive%20any%20e-mail.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPart%20of%20my%20script%20includes%3A%3C%2FP%3E%3CP%3E%23High%20Volume%20Rule%3CBR%20%2F%3E%24HighSensitiveInfo%20%3D%20%40(%40%7BName%20%3D%22U.S.%20Social%20Security%20Number%20(SSN)%22%3BminCount%20%3D%20%226%22%7D%2C%40%7BName%20%3D%22U.S.%20%2F%20U.K.%20Passport%20Number%22%3BminCount%20%3D%20%226%22%7D%2C%40%7BName%20%3D%22U.S.%20Individual%20Taxpayer%20Identification%20Number%20(ITIN)%22%3BminCount%20%3D%20%226%22%7D)%3CBR%20%2F%3E%24HighRulevalue%20%3D%20%40%7B%3CBR%20%2F%3E'Name'%20%3D%20'High%20Volume%20Government%20Data'%3B%3CBR%20%2F%3E'Comment'%20%3D%20%22Helps%20detect%20the%20presence%20of%20information%20commonly%20considered%20to%20be%20subject%20to%20the%20compliance%22%3B%3CBR%20%2F%3E'Policy'%20%3D%20%24PolicyName%3B%3CBR%20%2F%3E'ContentContainsSensitiveInformation'%20%3D%20%24HighSensitiveInfo%3CBR%20%2F%3E'BlockAccess'%20%3D%20%24false%3B%3CBR%20%2F%3E'ReportSeverityLevel'%20%3D%20'High'%3B%3CBR%20%2F%3E'AccessScope'%3D'NotInOrganization'%3B%3CBR%20%2F%3E'Disabled'%3D%24false%3B%3CBR%20%2F%3E'GenerateIncidentReport'%3D'%3CFONT%20color%3D%22%23FF0000%22%3E%3CSTRONG%3ESiteAdmin%3C%2FSTRONG%3E%3C%2FFONT%3E'%3B%3CBR%20%2F%3E'IncidentReportContent'%3D'All'%3B%3CBR%20%2F%3E'NotifyAllowOverride'%3D'FalsePositive%2CWithJustification'%3B%3CBR%20%2F%3E'NotifyUser'%3D%40('%3CSTRONG%3E%3CFONT%20color%3D%22%23FF0000%22%3ESiteAdmin%3C%2FFONT%3E'%3C%2FSTRONG%3E%2C%20'LastModifier'%2C%20'Owner')%3CBR%20%2F%3E%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2596578%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EData%20Loss%20Prevention%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Hello Experts,

 

Using the New-DlpComplianceRule cmdlet, there are three (3) parameters called "-GenerateAlert", "GenerateIndidentReport", and "-NotifyUser" and one of the valid values is "SiteAdmin". See this article (New-DlpComplianceRule (ExchangePowerShell) | Microsoft Docs).  When this parameter is configured (see attached image), where does this alert/notification go to?

 

I tested sending 10 SSN numbers to an external account, the sender gets a "Your email message conflicts with a policy in your organization" email; which is expected.  Global admin did not receive any e-mail. 

 

Part of my script includes:

#High Volume Rule
$HighSensitiveInfo = @(@{Name ="U.S. Social Security Number (SSN)";minCount = "6"},@{Name ="U.S. / U.K. Passport Number";minCount = "6"},@{Name ="U.S. Individual Taxpayer Identification Number (ITIN)";minCount = "6"})
$HighRulevalue = @{
'Name' = 'High Volume Government Data';
'Comment' = "Helps detect the presence of information commonly considered to be subject to the compliance";
'Policy' = $PolicyName;
'ContentContainsSensitiveInformation' = $HighSensitiveInfo
'BlockAccess' = $false;
'ReportSeverityLevel' = 'High';
'AccessScope'='NotInOrganization';
'Disabled'=$false;
'GenerateIncidentReport'='SiteAdmin';
'IncidentReportContent'='All';
'NotifyAllowOverride'='FalsePositive,WithJustification';
'NotifyUser'=@('SiteAdmin', 'LastModifier', 'Owner')
}

 

Thanks in advance!

0 Replies