none
DLP Incident Report RRS feed

  • Question

  • Hi!

    I've just created a new DLP-rule for catching outgoing Swedish Social Security Numbers.

    The rule triggers when someone is sending SSN outside of our organization. When that happens, the user gets a principal tips that says they are about to send classified information outside the organization, and if they do, an incident report is sent to our incident mailbox.

    My problem is that I only get an incident report sent to me when our users use the bold formatting below, but the principal tips the users can see is triggered by all different formattings:

    YYMMDDXXXX

    YYMMDD-XXXX

    YYYYMMDDXXXX

    YYYYMMDD-XXXX


    So, how should I do to get the incident report when any of the above formats is used?


    Thanks in advance,

    Petter





    Thursday, November 23, 2017 10:21 AM

All replies

  • Hi Petter,

    Please show the details of the rule, that would give us some clues to help troubleshoot the issue:

    Get-TransportRule -Identity "the DLP rule name" |fl Dlp*,Description


    Best Regards,

    Niko Cheng


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Saturday, November 25, 2017 3:18 AM
    Moderator
  • Hi Niko,

    This is the requested output.

    Best regards,
    Petter

    DlpPolicy   : Svenskt Personnummer
    DlpPolicyId : c819b1fd-2748-4012-a56c-2ba34c60c365
    Description : If the message:
                      Is sent to 'Outside the organization'
                      and The message contains these sensitive information types: 'Sweden National ID'
                  Take the following actions:
                      Set audit severity level to 'Medium'
                      and Notify the sender that the message can't be sent, but allow the sender to override. Include the explanation 'Delivery not authorized, message
                  refused' with status code '5.7.1'
                      and Send the incident report to ****@bracke.se, include these message properties in the report: sender, recipients, subject, cc'd recipients, bcc'd
                  recipients, severity, sender override information, matching rules, false positive reports, detected data classifications, matching content



    Monday, November 27, 2017 10:26 AM
  • Hi Petter,

    The rule seems ok.

    I have never heard of any transport rule will distinguish whether the numbers are in bold formatting or not.

    You can try to disable this rule and create a new rule in DLP and check if any helps.


    Best Regards,

    Niko Cheng


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, November 28, 2017 10:09 AM
    Moderator
  • Hi Niko,

    It's not when it's bold or not. It's when the format of the serialnumber is 10 digits without -. YYMMDDXXXX

    If this format is used: YYYYMMDD-XXXX I will get a principal tip that the information might be sensitive, but an incident report won't be sent to xxxx@bracke.se

    Best regards
    Petter

    Tuesday, November 28, 2017 11:47 AM
  • Hi Petter,

    According to your description, when the format is used:"YYYYMMDD-XXXX", you will get a principal tip, and when the format is used:"YYMMDDXXXX", you will get a tip and a report(trigger the rule). Did these two tips the same?

    If these tips not the same, I suspect the format "YYYYMMDD-XXXX" does not trigger the rule at all, it just remind the message "might " contain sensitive information. If the rule be triggered, you should get the tip that "Delivery not authorized, message refused' with status code '5.7.1'"(according to your rule description)

    Notify the sender that the message can't be sent, but allow the sender to override. Include the explanation 'Delivery not authorized, message
                  refused' with status code '5.7.1'


    Best Regards,

    Niko Cheng


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, November 29, 2017 10:29 AM
    Moderator