DLP and Defender for Cloud Apps (MCAS) blocking the upload of sensitive data to personal Dropbox
Hi there, THE REQUIREMENT Block the upload of sensitive content (defined with Sensitive Information Types - not Labels) to personal cloud storage such as a personal Dropbox account. THE RESEARCH Endpoint DLP Based on this requirement, I have come to the conclusion that this can only be achieved through Endpoint DLP (Upload to cloud service) using the Microsoft Compliance Extension and requiring an E5 license for all users. Conditional Access and Defender for Cloud Apps - Session Policy I also considered using a Session based policy in Defender for Cloud Apps (MCAS) to block the upload of such information, but the policy only relies on Sensitivity Labels (and not Sensitive Information Types which is the requirement) M365 Compliance Centre and Defender for Cloud Apps - DLP Policy I am also aware that one can add an App Connector for Dropbox as a Cloud App, then using this in M365 Compliance Centre as a location: But this only works for corporate Dropbox accounts and not personal. I am sure I am missing something here in terms of the requirement and the capability that Microsoft provides throughout the DLP and MIP capabilities. Please help? Dirk
Using flow Cloud App Security Alert trigger
I have a DLP rule in Offi e 365 that triggers an alert when PCI data is detected. I want t use Flow to send an email to the person who owns the detected file\s, providing them the file name and location (this info is in the alerts when you view them in Cloud App Security) and asking them to remove the PCI data. I setup the API token, a Cloud App Security trigger and then attached a basic email action to my and attached that to the alert as a Flow action just so I know when the DLP picks up PCI it runs the configured alert which then runs the configured Flow and I get the test email. This works perfectly. Next step then is to customize it to the file owner. Here is where I'm having problems. I need to put the file owner email address in the To field and at a minimum the file\s detected in the body. My problem is I cant find any doco that explains what each of the dynamic content options actually are so I don't know which one give me the person and the file\s info. I tried to just add all of them and wait for a triggered event but some I believe are arrays so it adds a "For each" action which I don't want. How can i work out the dynamic content fields I need?Add DLP activities / alerts to MCAS
Hi@ *, we started to use O365 DLP in the SCC and it's working great. For every "rule detection" we get a detailed report in our team mailbox. Now, we want to include DLP policy matches in our incident management. We'd like to use ArcSight to connect to MCAS and getting all information about O365 DLP (SIEM). I played around, but I can only find one OCAS activity policy that generates alerts in my SCC dashboard (only that a DLP policy match was found). I don't get any additional information (name of policy, recipient, subject etc.). More details would be awesome! Examples: If a user reports a false positive; Severity is high; which DLP policy was triggered... etc. => events, that MCAS should report so that I can pick it up with ArcSight (and finally, it creates only incidents that I want based on respective filters). Is something planned like this and do you have more details? Or, maybe it is already available or something similar? Thanks & have a nice weekend, Martin
