Data Loss Prevention send me as global admin alot of emails but the hit is incorrect

%3CLINGO-SUB%20id%3D%22lingo-sub-814555%22%20slang%3D%22en-US%22%3EData%20Loss%20Prevention%20send%20me%20as%20global%20admin%20alot%20of%20emails%20but%20the%20hit%20is%20incorrect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-814555%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20using%20O365%20with%20SharePoint%2C%20OneDrive%20for%20Business%2C%20Exchange%2C%20Teams%2C%20Skype%20for%20Business%20etc..I%20created%20a%20new%20DLP%20policy%20for%20%22%3CSPAN%3EExchange%20email%2C%20Teams%20chats%20and%20channel%20messages%20and%20OneDrive%20and%20SharePoint%20documents%22%20and%20selected%20the%20privacy%20GDPR%20template%20for%20EU.%20I%20disabled%20the%20tooltip%20and%20notification%20settings%20for%20the%20endusers.%20I%20only%20enabled%20to%20send%20an%20email%20to%20my%20own%20emailaddress%20to%20test%20it%20first.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20receive%20now%20alot%20of%20emails%20from%20DLP%20hits.%20But%20I%20investigate%20the%20hit%20and%20it%20is%20false%20possitive.%20For%20example%20the%20sensitive%20info%20type%20%22EU%20National%20Identification%20Number%22%20gives%20a%20hit%20if%20the%20email%20contains%20a%20number%20like%20%220611133218%22.%20But%20this%20number%20is%20a%20phonenumber%20in%20an%20email!%20How%20can%20I%20finetune%20the%20rules%20so%20it%20will%20send%20only%20an%20email%20if%20it%20is%20a%20real%20hit%3F%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F127771i10AF1788813406EC%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22dlp%20policy%20eu.png%22%20title%3D%22dlp%20policy%20eu.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-814555%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDLP%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-815663%22%20slang%3D%22en-US%22%3ERe%3A%20Data%20Loss%20Prevention%20send%20me%20as%20global%20admin%20alot%20of%20emails%20but%20the%20hit%20is%20incorrect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-815663%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20fine%20tune%20the%20match%20criteria%20under%20the%20Policy%20settings%20section%20and%20the%20rules%20therein.%20Notifications%20will%20be%20generated%20for%20every%20match%20though%2C%20it's%20a%20simple%20on%2Foff%20switch.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-822468%22%20slang%3D%22en-US%22%3ERe%3A%20Data%20Loss%20Prevention%20send%20me%20as%20global%20admin%20alot%20of%20emails%20but%20the%20hit%20is%20incorrect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-822468%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3Bcan%20I%20find%20somewhere%20some%20tips%20about%20how%20to%20reduce%20the%20false%20possitives%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-822955%22%20slang%3D%22en-US%22%3ERe%3A%20Data%20Loss%20Prevention%20send%20me%20as%20global%20admin%20alot%20of%20emails%20but%20the%20hit%20is%20incorrect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-822955%22%20slang%3D%22en-US%22%3E%3CP%3ETune%20the%20match%20criteria%20or%20create%20your%20own%20sensitive%20type%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fcreate-a-custom-sensitive-information-type%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fcreate-a-custom-sensitive-information-type%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

We are using O365 with SharePoint, OneDrive for Business, Exchange, Teams, Skype for Business etc..I created a new DLP policy for "Exchange email, Teams chats and channel messages and OneDrive and SharePoint documents" and selected the privacy GDPR template for EU. I disabled the tooltip and notification settings for the endusers. I only enabled to send an email to my own emailaddress to test it first.

 

I receive now alot of emails from DLP hits. But I investigate the hit and it is false possitive. For example the sensitive info type "EU National Identification Number" gives a hit if the email contains a number like "0611133218". But this number is a phonenumber in an email! How can I finetune the rules so it will send only an email if it is a real hit?dlp policy eu.png

3 Replies

You can fine tune the match criteria under the Policy settings section and the rules therein. Notifications will be generated for every match though, it's a simple on/off switch.

@Vasil Michev can I find somewhere some tips about how to reduce the false possitives?