Found it ( I think) - im missing DLP Insights.  I have the DLP report but I'm not seeing the warning triangles / insight icon. 

The insights are fairly new addition, I don't have them in my tenant either.

@Vasil Michevdo you know if there was an announcement about this new feature? I don't remember seeing one.

Maybe I'm looking at the wrong thing? This isn't a new feature.

I get a policy tip for a DLP rule

I have the option to "report" my content as a false positive

where the dickens does that report button end up? 

I am expecting if there's a report button that somewhere I can go as a sec admin, view that report and either dismiss it and reply to the data owner or opt to reclassify and allow sharing.

There seems no information anywhere about this and no one at Microsoft seems to have a clue about it from what I can see.

If you have a report button then it must go somewhere or why have the button?

Hi Mike

Hopefully these help; if you click on Show details table, it will show the details of any overrides and false positives. Just to note that my screenshot currently doesn't as we have a ticket open with MS about policy tips not working on Outlook but okay on OWA (don't know if anyone else is experiencing this). 

Simon

Thanks Simon!

I get that report but I can't interact with it? Are you able to?

As my point above I can see someone has reported something as a false positive but there seems to no way for an admin to say "ah ok, that's fine, I'll reclassify it and away you go"

Thanks for your help!

I think that's the conclusion I'm coming to.

There is no way to actually do what I'm expecting - which I think would make total sense to be able to interact and deal with these incidents rather than having to go find a user and have a chat with them.

I have it set up to alert me and it sounds like that's the best I can hope for.

That's all I needed - no one was able to tell me if I was missing anything or not but you've got the same experience so sounds like it is what it is.

Thanks so much for your help!

Simon - you said "I also have alerts turned on to me when people do it so when I get the email, it shows the override reason and false positive answers. If anyone puts anything that we don't agree with as being an acceptable answer, then we raise this with them/their line manager. "

How did you configure DLP to get an email when someone overrides? I only see sending a weekly report to an email from the override chart  - is that what you are talking about?

Hi Karen

In the Policy, under Editing Policy Settings, you can create advanced settings for your policy. One of the options is the following:

You can then specify the email address you want reports to and what should be contained in those reports.

Hope this helps

Simon

That's the email for the policy match - right, I do that already, but that doesn't send a notification for the override and the justification the user put in. I thought you were alerted via email that a person used the override button and entered a justification. So far, I've only seen that appear in the override report which I can schedule to send me weekly. So besides that - there is nothing that tells you a user used the override right?

Sorry Karen for any confusion, I wasn't very clear.

I've setup the DLP policy to alert me whenever someone does something that is against the policy. When they click the override, it will appear in that email, not in a separate email.

I've shared a redacted email of what that looks like but there is no separate email I'm afraid; just the main DLP policy incident report which can tell you what the employee did. Other than this and the report, I don't know of anything else to inform admins someone has clicked "override".

Ok, so I see now that you see the override justification in an incident report when it's applied to Exchange, but I've got a DLP policy (with incident reports enabled) applied just to my OneDrive and am using the override from the OneDrive client - and I am actually not getting any incident reports when it's in OneDrive. I have CAS and setup a CAS alert policy - so I see it's triggering those, so I know it's happening - but now that I'm specifically looking for incident reports - I don't get them from OneDrive.

Do you get incident report emails like you showed that you got from an Exchange hit, but from a OneDrive match?

I've had incident reports for OneDrive and SharePoint to flag files being uploaded (in the end they've been dummy data) but looking back at them, they don't show any override/justification - just the details of the file and who did it.