Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

New "Customizing DLP" Feature (MC111748) - Where is it?

Copper Contributor

I'm trying to roll out Office Message Encryption in EOL (E5 org).  Having a major problem in my testing with the ICD 9/10 Sensitive Info types catching WAY too much, not to mention the inability to combine and use logical (AND/OR) operators to be able to focus my Transport Rules.  I also need to be able to easily tune the lexicon and/or Sensitive Info types in response to false positives, org needs, etc.

 

I ran across a 'New Feature' announcement on the O365 Admin portal just now, which seems to indicate that some of the exact needs I'm working on with Premier Support are now (as of Jul 31) available.

 

New features: Office 365 Data Loss Prevention MC111748 July 31

 

Included features of note:

  • Grouping sensitive types & configurable logical operators (AND/OR)
  • Changes to the UX and cmdlet although old cmdlet will still work. This allows you to express much richer, more specific sets of matching requirements within your policies.
  • Unique matches for entities and keywords – Policy results will now only consider unique matches; duplicated data will not be double-counted (e.g., the same SSN found on each page of your taxes will only count as one unique SSN), reducing unexpected policy matches.
  • Enhanced HIPAA protection in DLP and retention - More advanced and accurate detection of HIPAA content built-in to Office 365 DLP and Preservation policies. You can now accurately detect and protect your organization’s HIPAA-related content, and you can customize the matching behavior to meet your organization’s specific requirements.

 

There's also the 'Create A Keyword Dictionary" document that may be helpful, but I'm having problems with some of the commands:

https://support.office.com/en-us/article/Create-a-keyword-dictionary-c8a95d1b-c3b6-4613-98ab-0331d18...

 

Ideally, I'd like to export the ICD 9/10 dictionaries, make some edits, and then import them as NEW custom keyword dictionaries for use in a custom info type and (ideally) DLP policy.  I also need to be able to create and have an ongoing management process for my dictionaries, which the above KB indicates is possible.

 

Is this actually available across all tenants? If not, is there a way to check and get it pushed to ours ASAP?

 

Finally, is this only doable in the Sec/Compliance center? Is there any way to link things up with the Transport Rules I need to create to protect PII in Exchange Online?  It appears that the EOL and SCC DLP environments can't even see each other and thus things set up in one can't be used in the other.  I know there is a plan to move everything into SCC, but right now I need this in EOL for usage in OME.

 

Alternatively, can I create these same dictionaries, custom info types, and policies in Exchange with EOL Powershell? 

 

Thanks!

3 Replies

Afaik it's only doable via the SCC. As to whether this is rolled out to the entire O365 population, support should be able to answer (or at least give you specific answer for *your* tenant).

After more digging and testing different scenarios I don't believe that the SCC is quite ready for this and the integration with the EOL DLP is not yet complete.  I'm hoping it will be soon, though.  

 

However, for now the solution that I've come up with is to leverage the 'Exceptions' predicates of the Exchange Transport Rules to manage my exclusions, and it seems to be working.  I've added an exception for both the body/subject and any attachments and my false positive noise has been reduced.  This feature doesn't seem to be available in SCC.  I've added the relevant rules to an EOL DLP Policy.

 

I have a CSV/TXT file (no header) where I maintain the exceptions list and simply add it to a variable and then run the PS to modify the rule as I need to.  It works for both add/removals.

We'll have a process/policy to get approvals added to the exclusion list.

 

$keywords=get-content .\DLPExclusions.csv
set-TransportRule "HIPAA PHI Encryption Trigger" -ExceptifSubjectOrBodyContainsWords $keywords -ExceptIfAttachmentContainsWords $keywords

 

Thanks

 

Hi All,

Though this may be a delayed response, however got bumped into this post as was trying out similar feature testing.

1. As per my understanding and the testing done so far, SCC can be used at a tenant level, which has only two options "Inside the Organization" or "Outside the Organization", which is a real pain to do any customization.

2. EAC - DLP provides still a wide range of options.

I've managed to create a dictionary for keywords as per the below article.

https://support.office.com/en-us/article/Create-a-keyword-dictionary-c8a95d1b-c3b6-4613-98ab-0331d18...

Have also got this imported as a new custom sensitive information type. I've created a new policy in the SCC and added this sensitive type, however it does not detect anything. Then I've disabled the policy and setup a policy in the EAC-DLP here aswell it does not detect any of the keywords that are part of the keywords dictionary. Following is my xml for the dictionary, which was imported. I've tried to have the part of the IdMatchRef to include in the SCC DLP policy, however there was no luck. Also I've noticed that in the SCC policy it only has an AND condition with OR there is no OR alone. Where AND is the mandatory one.

 

<?xml version="1.0" encoding="UTF-16"?>
<RulePackage xmlns="http://schemas.microsoft.com/office/2011/mce">
<RulePack id="2b9c18af-de85-4a91-bb03-098c8abfe39a">
  <Version build="1" major="0" minor="0" revision="1"/> 
  <Publisher id="bb7706f6-6f86-4159-a172-bb46a3320694"/> 
  <Details defaultLangCode="en-us">  
 <LocalizedDetails langcode="en-us">   
       <PublisherName>Prabhakar</PublisherName>   
       <Name>Custom Dictionary</Name>   
       <Description>This rule package contains the custom dictionary words
       </Description>
        </LocalizedDetails> 
   </Details>
</RulePack>
<Rules>
<!-- Sensitive information dictionary -->

  <Entity id="d333c6c2-5f4c-4131-9433-db3ef72a89e8" patternsProximity="300"

recommendedConfidence="85">
      <Pattern confidenceLevel="85">
        <IdMatch idRef="f10cd68c-f699-4199-867e-d35be5edbf56" />
      </Pattern>
    </Entity>
    <LocalizedStrings>
      <Resource idRef="d333c6c2-5f4c-4131-9433-db3ef72a89e8">
        <Name default="true" langcode="en-us">Keywords Dictionary</Name>
        <Description default="true" langcode="en-us">Detects test keywords</Description>
      </Resource>
    </LocalizedStrings>
</Rules>
</RulePackage>