Compliance team / IT admins play a vital role in the organization to ensure the firm complies with business standards and industry regulations. When it comes to data, the detection and protection of data are among the most important tasks that any business has today.
With the help of Office DLP, it makes it easier to identify, monitor, and protect the sensitive data across:
Microsoft 365 DLP detects sensitive items by using deep content analysis, not by just a simple text scan. Content is analyzed for primary data matches to keywords, by the evaluation of regular expressions, by internal function validation, and by secondary data matches that are in proximity to the primary data match. Beyond that, DLP also uses machine learning algorithms and other methods to detect content that matches your DLP policies.
This article describes how to troubleshoot some common DLP issues.
Common Scenarios:
.
Scenario 1: DLP policy is not blocking the sensitive information
Users are able to send emails/documents containing Sensitive Information like Credit Cards and SSN and items are not being blocked by the DLP policy.
Possible cause:
Possible Solution:
Check if the content of the message matches the format, pattern, and keywords as per Sensitive information type entity definitions - Microsoft 365 Compliance | Microsoft Docs
Example:
You can use Test-Message commandlet to investigate the issues related to the processing of the Exchange Transport Rules (ETRs) and Unified DLP rules.
Test-Message is used to send test email messages into the actual ETR/DLP pipeline to simulate real behavior and provides admins with an immediate evaluation report showing the match/didn't match rule results for a particular message.
To run Test-Message in PowerShell, admins need to specify:
Example :
$data = [System.IO.File]::ReadAllBytes('C:\Data\test.eml')
Test-Message -MessageFileData $data -Sender megan@contoso.com -Recipients adele@contoso.com -SendReportTo admin@contoso.com -UnifiedDlpRules
Please refer Test-Message (ExchangePowerShell) | Microsoft Learn for more information.
Sample Output:
Evaluating rule 68007c5e-37e0-4e81-9b8b-2a9b7e3c5341.
Scanning for sensitive types: 50842eb7-edc8-4019-85dd-5a5c1f2bb085,a2ce32a8-f935-4bb6-8e96-2a5157672e2c,cb353f78-2b72-4c3c-8827-92ebe4f69fdf,e55e2a32-f92d-4985-a35d-a0b269eb687b,a44669fe-0d48-453d-a9b1-2cc83f2cba77,178ec42a-18b4-47cc-85c7-d62c92fd67f8.
Discovered sensitive types: 'Credit Card Number' (count: 1, unique count: 1, confidence: 85).
Filtering results retrieved.
Text extraction data available from earlier attempt on same message. Skipping text extraction.
Filtering results retrieved.
Text Matched for for discovered data classification: 4111 1111 1111 1111.
Filtering results retrieved.
Text extraction data available from earlier attempt on same message. Skipping text extraction.
Filtering results retrieved.
Text extraction detected 0 attachments.
Text extraction detected metadata: , Coauth: False.
Discovered labels in attachment: .
Evaluating actions for rule 68007c5e-37e0-4e81-9b8b-2a9b7e3c5341.
Stamp rule history on message header.
Rule 68007c5e-37e0-4e81-9b8b-2a9b7e3c5341 evaluation resulted in a match.
Predicate ExContentContainsSensitiveInformationPredicate evaluation resulted in a match.
Predicate ExContentContainsSensitiveInformationPredicate evaluation resulted in a match.
Predicate ExContentContainsSensitiveInformationPredicate evaluation resulted in a match.
Predicate ExContentContainsSensitiveInformationPredicate evaluation resulted in a match with Confidential properties.
Predicate ExContentContainsSensitiveInformationPredicate evaluation resulted in a match.
Predicate ExContentContainsSensitiveInformationPredicate evaluation resulted in a match.
Exit policy rule evaluation. Continue to next.
Evaluating rule b068860b-7f53-477e-9385-c062d4f75438.
Scanning for sensitive types: .
Evaluating actions for rule b068860b-7f53-477e-9385-c062d4f75438.
Stamp rule history on message header.
Rule b068860b-7f53-477e-9385-c062d4f75438 evaluation resulted in a match.
Predicate ExEqualPredicate evaluation resulted in a match with megan@contoso.com properties.
Predicate ExEqualPredicate evaluation resulted in a match with IncludeExternalUsers properties.
Predicate ExContentContainsSensitiveInformationPredicate evaluation resulted in a match with 50842eb7-edc8-4019-85dd-5a5c1f2bb085 properties.
Predicate ExContentContainsSensitiveInformationPredicate evaluation resulted in a match with Credit Card Number properties.
Predicate ExContentContainsSensitiveInformationPredicate evaluation resulted in a match with Message Body properties.
Predicate ExContentContainsSensitiveInformationPredicate evaluation resulted in a match.
Predicate ExContentContainsSensitiveInformationPredicate evaluation resulted in a match.
Predicate AndCondition evaluation resulted in a match.
Action NotifyUser was executed.
Exit policy rule evaluation. Continue to next.
Evaluating rule c10ed108-acad-4aed-b6e2-83954949e078.
Scanning for sensitive types: .
Evaluating actions for rule c10ed108-acad-4aed-b6e2-83954949e078.
Stamp rule history on message header.
Rule c10ed108-acad-4aed-b6e2-83954949e078 evaluation resulted in a match.
Predicate ExEqualPredicate evaluation resulted in a match with megan@contoso.com properties.
Predicate ExEqualPredicate evaluation resulted in a match with IncludeExternalUsers properties.
Predicate ExContentContainsSensitiveInformationPredicate evaluation resulted in a match with 50842eb7-edc8-4019-85dd-5a5c1f2bb085 properties.
Predicate ExContentContainsSensitiveInformationPredicate evaluation resulted in a match with Credit Card Number properties.
Predicate ExContentContainsSensitiveInformationPredicate evaluation resulted in a match with Message Body properties.
Predicate ExContentContainsSensitiveInformationPredicate evaluation resulted in a match.
Predicate ExContentContainsSensitiveInformationPredicate evaluation resulted in a match.
Predicate AndCondition evaluation resulted in a match.
Action NotifyUser was executed.
Action GenerateAlert was executed.
Action GenerateIncidentReport was executed.
You can upload a file to test whether these sensitive info types detect the matching elements you specified.
Test results include a Confidence level and Support elements as below
Learn more about Fundamental parts of a sensitive information type and confidence levels Learn about sensitive information types - Microsoft 365 Compliance | Microsoft Docs
Create, test, and tune a DLP policy: Create, test, and tune a DLP policy - Microsoft 365 Compliance | Microsoft Docs
Supported DLP Conditions: Data Loss Prevention policy reference - Microsoft 365 Compliance | Microsoft Docs
Scenario 2: DLP policy tips are not working in Outlook / OWA client
DLP is not detecting the sensitive information and the policy tips are not shown in Outlook / OWA clients. The DLP function to evaluate the message isn't triggered immediately. When a message is created, it doesn't yet meet the DLP policy conditions. The DLP policy tip is called and the content is evaluated after data is added to the message. Wait about 30-50 seconds to let the function be called. You can also expect the function to occur automatically when one of the following actions occurs:
After the function is triggered, you receive a message that resembles the following if the message violates the DLP policies.
Possible Cause:
Troubleshooting:
Steps: Outlook > File > Options > Mail > MailTips Options
To work around this issue, force Outlook Client to download the updated DLP policies. To do this, you must use Registry Editor to remove existing DLP policies that are applied to Outlook Client. To do this, follow these steps:
Now start Outlook 2013 again, create a new message, and then type some text. When you do this, you force Outlook 2013 to download DLP policies. For more information: Changes to a data loss prevention policy don't take effect in Outlook 2013 in Office 365 - Office 36...
Currently, Outlook 2013 and later supports showing policy tips only for these conditions:
Currently, Outlook 2013 and later supports showing policy tips only for this action:
Note: Exceptions are considered conditions and all these conditions work in Outlook. They will match content and enforce protective actions on content. However, showing policy tips is not yet supported.
Scenario 3: DLP Policy False positive:
DLP policy triggers incorrectly on content in messages or files. For example, numbers are mistaken for a Credit Card or Bank Account number.
Possible Cause:
Troubleshooting:
It is always important for the administrators to test and tune the DLP policies before turning on for all the users in the Organisation.
Generate an incident report action to the existing DLP policy
DLP false positives and overrides: If your DLP policy allows users to override it or report a false positive, this report shows a count of such instances over time. You can filter the report by date, location, or policy. You can use this report to:
All DLP reports can show data from the most recent four-month time period. The most recent data can take up to 24 hours to appear in the reports.
For more information, please refer to:
View the reports for data loss prevention - Microsoft 365 Compliance | Microsoft Docs
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.