Jun 11 2018
- last edited on
May 24 2021
Ok so a user gets a policy applied to his/her document for let's say PCI compliance.
On the policy tip we give the user the option to override with a business justification or to report as a false positive.
If they click the "report" button in the policy tip where does that go? where do I as an admin go to review those and presumably take some kind of action on that report? allow and reclassify or keep the classification and inform the user.
I'd expect to see something in the S&C reports but I can't see a thing. I can view my overrides report and view where a user has overridden a classification but nothing anywhere else that lets me interact with any reported "cases"
Jun 11 2018 10:42 AM
Should be in the DLP reports as detailed here: https://support.office.com/en-us/article/view-the-reports-for-data-loss-prevention-41eb4324-c513-4fa...
Are you saying you don't see the events, or the DLP reports altogether?
Jun 12 2018 03:31 AM
Found it ( I think) - im missing DLP Insights. I have the DLP report but I'm not seeing the warning triangles / insight icon.
Jun 12 2018 10:05 AM
The insights are fairly new addition, I don't have them in my tenant either.
Jun 17 2018 05:25 PM
@Vasil Michevdo you know if there was an announcement about this new feature? I don't remember seeing one.
Jun 18 2018 02:31 AM
Maybe I'm looking at the wrong thing? This isn't a new feature.
I get a policy tip for a DLP rule
I have the option to "report" my content as a false positive
where the dickens does that report button end up?
I am expecting if there's a report button that somewhere I can go as a sec admin, view that report and either dismiss it and reply to the data owner or opt to reclassify and allow sharing.
There seems no information anywhere about this and no one at Microsoft seems to have a clue about it from what I can see.
If you have a report button then it must go somewhere or why have the button?
Jun 19 2018 01:20 AM
Jun 19 2018 01:39 AM
Jun 19 2018 01:51 AM
Hopefully these help; if you click on Show details table, it will show the details of any overrides and false positives. Just to note that my screenshot currently doesn't as we have a ticket open with MS about policy tips not working on Outlook but okay on OWA (don't know if anyone else is experiencing this).
Jun 19 2018 01:57 AM
I get that report but I can't interact with it? Are you able to?
As my point above I can see someone has reported something as a false positive but there seems to no way for an admin to say "ah ok, that's fine, I'll reclassify it and away you go"
Thanks for your help!
Jun 19 2018 02:05 AMSolution
Jun 19 2018 02:18 AM
I think that's the conclusion I'm coming to.
There is no way to actually do what I'm expecting - which I think would make total sense to be able to interact and deal with these incidents rather than having to go find a user and have a chat with them.
I have it set up to alert me and it sounds like that's the best I can hope for.
That's all I needed - no one was able to tell me if I was missing anything or not but you've got the same experience so sounds like it is what it is.
Thanks so much for your help!
Jun 19 2018 02:22 AM
Dec 11 2018 07:17 AM
Simon - you said "I also have alerts turned on to me when people do it so when I get the email, it shows the override reason and false positive answers. If anyone puts anything that we don't agree with as being an acceptable answer, then we raise this with them/their line manager. "
How did you configure DLP to get an email when someone overrides? I only see sending a weekly report to an email from the override chart - is that what you are talking about?
Dec 11 2018 08:56 AM
In the Policy, under Editing Policy Settings, you can create advanced settings for your policy. One of the options is the following:
You can then specify the email address you want reports to and what should be contained in those reports.
Hope this helps
Dec 11 2018 10:09 AM
That's the email for the policy match - right, I do that already, but that doesn't send a notification for the override and the justification the user put in. I thought you were alerted via email that a person used the override button and entered a justification. So far, I've only seen that appear in the override report which I can schedule to send me weekly. So besides that - there is nothing that tells you a user used the override right?
Dec 12 2018 03:39 AM
Sorry Karen for any confusion, I wasn't very clear.
I've setup the DLP policy to alert me whenever someone does something that is against the policy. When they click the override, it will appear in that email, not in a separate email.
I've shared a redacted email of what that looks like but there is no separate email I'm afraid; just the main DLP policy incident report which can tell you what the employee did. Other than this and the report, I don't know of anything else to inform admins someone has clicked "override".
Dec 12 2018 10:22 AM
Ok, so I see now that you see the override justification in an incident report when it's applied to Exchange, but I've got a DLP policy (with incident reports enabled) applied just to my OneDrive and am using the override from the OneDrive client - and I am actually not getting any incident reports when it's in OneDrive. I have CAS and setup a CAS alert policy - so I see it's triggering those, so I know it's happening - but now that I'm specifically looking for incident reports - I don't get them from OneDrive.
Do you get incident report emails like you showed that you got from an Exchange hit, but from a OneDrive match?
Dec 13 2018 12:47 AM
I've had incident reports for OneDrive and SharePoint to flag files being uploaded (in the end they've been dummy data) but looking back at them, they don't show any override/justification - just the details of the file and who did it.