none
Diagnosing issues with custom DLP templates not being enforced.

    Frage

  • I've written several rules using custom DLP XML templates to detect multiple items including credit card numbers, phone numbers, and email addresses.  However, when these templates are applied, emails are passed without triggering the templates.

    I've been looking for information on debugging DLP/Transport rule processing, but my searches have turned up nothing of use.

    Does anyone with DLP rules have any recommendations on how to debug this issue?

    Thanks

    Freitag, 11. Mai 2018 19:58

Alle Antworten

  • Hi HikaruOjiSan,

    In general, if a rule has been applied but not being enforced, that means either the email does not contain sensitive information or there is a misconfiguration with the rules.  Do more test would be the best way to debug this issue. 

    I recommend you refer to the following articles to define your own DLP and test again:

    Define your own DLP templates and information types

    Import a custom DLP policy template from a file


    Best Regards,
    Niko Cheng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Montag, 14. Mai 2018 08:34
    Moderator
  • Hello Niko,

    The rule uses the built in Microsoft filter to check for credit cards by verifying the CC fields.  It apparently isn't detecting credit card numbers as I fed it 50 of them (with confirmed valid formats), and the rule didn't hit.

    <Rules>
    <!-- Credit Card Number -->
    <Entity id="6df79b48-959f-43f1-a0ca-135522dbe654" patternsProximity="300" recommendedConfidence="85">
      <Pattern confidenceLevel="85">
    <IdMatch idRef="Func_credit_card" />
    <Any minMatches="1">
    <Match idRef="Keyword_cc_verification" />
    </Any>
      </Pattern>
    </Entity>

    That rule should match on any valid CC number without the secondary requirements of name, expiration or CVV codes.

    Is there any enhanced logging that can be enabled for the rules engine to try and determine why this rule is failing?

    Cheers!!


    Montag, 14. Mai 2018 17:22
  • Hi HikaruOjiSan,

    As far as I know, there is no such a log can be used to determine why a DLP rule does not work. You need to constantly adjust the rule for testing.

    Mittwoch, 23. Mai 2018 10:03