Ingesting Purview compliance DLP logs to Splunk
We are in the process of enabling Microsoft purview MIP DLP for a large-scale enterprise, and there is a requirement to push MIP DLP related alerts, incidents and data to Splunk SIEM. Could not find any specific documentation for the same. researched on this and found below solutions however not sure which could work to fit in our requirement: Splunk add on for Microsoft security is available: The Splunk Add-on for Microsoft Security is now available - Microsoft Community Hub but this does not talk about Purview DLP logs. This add-on is available for Splunk but only says MIP can be integrated however does not talk about DLP logs: Microsoft Graph Security API Add-On for Splunk | Splunkbase As per few articles we can also ingest Defender logs to Azure event hub then event hub can be connected to splunk. Above mentioned steps do not explain much about Ingestion of MIP DLP raw data or incidents. If anyone has done it in the past I will appreciate any input.
Copy and paste pictures to restricted service domains not blocked by DLP policy
i believe i've configured the DLP policy but i'm not sure if i missed something i've defined the restricted site in the restricted domain list and set to block i've also configured the DLP policy to block upload to restricted domains i tried 3 different methods to upload the pictures (.jpg & .png) to web.whatsapp.com 1. drag and drop - blocked 2. clicking upload on web.whatsapp.com - blocked 3. copy and paste - not blocked i'm not sure why copy and paste is not blocked while the rest is blockedUse Endpoint DLP to block uploads
Hello, I am trying to block files from being uploaded to specific domains using Endpoint DLP. I have added several domains to the Service Domain section of DLP and set it to Block. I have also added a Service Domain Group with those same domains (not sure if this is required in this case). Then I have created a DLP policy scoped to Devices only. The rule conditions in the policy are set to any file over 1 byte in size should be blocked from upload to those service domains. I have also added the Service Domain Groups to this policy and set it to block. I turn on the policy and it is applied to the appropriate endpoints but when I test, the only files blocked from being uploaded to those domains are files tagged a sensitivity label. Can this DLP policy apply to all files instead of just labelled ones? We just want to block upload to specific domains outright. Any help is appreciated!
DLP Alerts Issue - Windows Defender
Hi, I am encountering an issue where a single file containing multiple policy matches triggers multiple DLP alerts defined for Exchange. I would prefer to receive just one alert per email, regardless of the number of files or policy/rule matches in Windows Defender. Any suggestions on how to resolve this would be greatly appreciatedBlocking Personal Outlook and Gmail Accounts on Corporate Device
Hello Community, In my organization, we use the Microsoft 365 environment. We have a hybrid infrastructure, but we aim to deploy as many policies as possible through Microsoft 365 (Intune, Purview, Defender, etc.). One of our goals is to limit the use of corporate devices for personal purposes. We use Outlook as our corporate email service, and we would like to block employees from signing into their personal email accounts (either via web or desktop application). Additionally, we would like to block access to other email services, such as Gmail, both via web and desktop apps. Could you provide guidance on how to achieve this? I would greatly appreciate any help or suggestions. Thank you very much! Juan Rojas
Compliance Center DLP Policy Tips
Greetings! We are in the middle of implementing the Compliance Center DLP solution using a variety of the advanced rules. We really love the idea of Policy Tips providing guidance to users on what they should do with their sensitive data. Our model is that we are allowed to send sensitive data to intended and verified recipients as long as it is encrypted. So we have some rules that look for HIPAA and PII and inform the user that they should encrypt before sending. The selling point for us was the ability to provide users an override to the policy in cases where encryption wasn't necessary. It is less common, but makes up about 10% of our use-case. Minus the normal bumps and issues, we are mostly happy with the way the system works! Users can override, encrypt, and we get good visibility on why users are sending data unencrypted if they do, so we can retrain or tune the system. Our issue is, of course, the wonkyness of the PolicyTips and how it checks for certain conditions and may or may not clear when a condition is met/not-met. Issue: A user composes an email headed out of our company that contains sensitive data. The system catches this and throws a Policy Tip requiring they encrypt or override. They say, "oh ya! Thanks for reminding me" and hit that encrypt button. This doesn't clear the Policy Tip or the block condition and they cannot send the email, even though it is encrypted. What I've Tried: I added the exception onto the rules to exempt if the Message Type is: Permission Controlled. I tried Message Type: Encrypted, but it doesn't work correctly at all. With this setup, everything works except the Policy Tip, which get stuck. Example: blue box is original PolicyTip. Red box is button encryption. Current Work-Around: The users hate it, because the button is way easier than the subject tags. Our current work-around is to "Clear the Policy Tip" by 1) Remove encryption by clicking link in PolicyTip, 2) Remove Recipient using same method inside Policy Tip. This resets the Policy Tip, so then the user can push the Encrypt button first, then add recipients, without redrafting the whole email. Help!! What sort of logic do I need to make the Encrypt button clear out the Policy Tips? Or is this just it? Workaround city! Thanks for reading and I'd love any help or guidance. Trust me, I've read every docs.microsoft article I can find about Policy Tips and DLP. But I'll take some more if you have them if they are relevant.DLP Policy Tip Stopped Working in SharePoint/OneDrive
Greetings, I created a DLP policy in Microsoft Purview several years ago to display a policy tip to users and it has been working until recently. No changes have been made to the policy. Now, when I go to a SharePoint document library, whether I hover on a sensitive document to see the "View policy tip" or select on the details pane, I no longer see the policy tip information. If I try to share the sensitive document, I also see the "View policy tip". However, this time it shows a Policy tip details dialog box "Policy tip couldn't be displayed. Please try again." Has anyone seen this? Could you share the solution to fix it? Thanks!
Auto-labelling in Purview-Which license or alternatives can be used rather than E5 ?
We are considering adopting Purview for Information Protection and DLP, but we are currently on E3 licenses. Given the extensive size of our SharePoint environment, auto-labelling is crucial for applying sensitivity labels to content across wide scopes automatically. My question is, are there any alternatives to upgrading licenses to E5 or adding the Compliance Add-on? Upgrading several thousand users to E5 or the Compliance Add-on requires significant justification, and I am wondering if there are other interim solutions we could leverage for a period of one year. Any thoughts would be greatly appreciated! Thank you! Kev
