none
Exchange 2016 | Data Loss Prevention | with Built in Templates | Flagging almost every email as not scannable RRS feed

  • Question

  • I've searched the forums and read several books at this point (Orielly Books Online, Amazon, and so forth) trying to get some answers and hoping to get some help where to look next from the forums.

    I've got a customer where on Exchange 2016 the DLP policies were enabled for: (Outline)

    US Financial ||

    US Financial: Scan email sent outside | Credit Card #, US Bank Account, ABA Routing
    U.S. Financial: Scan text limit exceeded
    U.S. Financial: Attachment not supported
    HIPPA ||
    U.S. HIPAA: Scan email sent outside | US Social Security, Drug Enforcement Agency
    U.S. HIPAA: Scan text limit exceeded
    U.S. HIPAA: Attachment not supported
    || US Social 
    U.S. SSN Laws: Scan email sent outside | US Social Security Number
    U.S. SSN Laws: Scan text limit exceeded
    U.S. SSN Laws: Attachment not supported

    The policies were enabled but they are in Test mode with No Policy Tips (for now) and I understand why.

    The false positive rate is thousands per day and at this point cannot recommend Enforced.

    I added the "Generate incident report and send to" so that I get all the audits.

    On all these policy sections above the Attachment not supported emails getting flagged is off the chart and most of the emails don't have attachments?

    Even after removing (full on deleting) (and waiting a full 24 hours for effect) - still getting these audit alerts but none of them are tagged as false positives but 95% of the emails don't have attachments and yet DLP is stating it cannot be scanned.  The ones that do have attachments are standard DOCX and PDF and no encryption.

    If I'm reading this correct? How is this going to impact mail flow if set to "Enforced".

    I've got thousands of audit's returning along this line:

    Override: No
    False Positive: No
    Rule Hit: U.S. SSN Laws: Attachment not supported, DLP Policy: Social Security Number, <MessageID>, Action: AuditSeverityLevel, ModerateMessageByManager, GenerateIncidentReport
    Rule Hit: U.S. HIPAA: Attachment not supported, DLP Policy: Health Care Data, <messageID>, Action: AuditSeverityLevel, ModerateMessageByUser, GenerateIncidentReport

    And this is before and after deleting:

    Scan text limit exceeded
    Attachment not supported

    Just to see if I can get it to stop flagging these emails.

    Any thoughts appreciated.

    Example:


    Tuesday, April 30, 2019 5:32 PM

All replies

  • Again, I deleted these line items from the policies 24 hours ago and they just keep coming.

    Override: No False Positive: No Rule Hit: U.S. SSN Laws: Attachment not supported, DLP Policy: Social Security Number, <ID>, Action: AuditSeverityLevel, ModerateMessageByManager, GenerateIncidentReport Rule Hit: U.S. HIPAA: Attachment not supported, DLP Policy: Health Care Data, <ID>, Action: AuditSeverityLevel, ModerateMessageByUser, GenerateIncidentReport

    Tuesday, April 30, 2019 5:49 PM
  • Hi BRIAN,

    I'm a little confused with your description.

    My understanding is that:

    most of emails(95%) don't have attachments, but DLP still apply the rule named "Attachment not supported" to these emails, and then send a incident report to a selected user. Am i correct ?

    If any misunderstanding, I'd recommend you show us a detailed example to use, and let us know what you want to achieve.


    Best Regards,
    Niko Cheng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Wednesday, May 1, 2019 9:26 AM
    Moderator
  • Correct.  Most of the emails do not have attachments.  We are getting thousands of flagged messages from every policy where we had:

    Scan text limit exceeded
    Attachment not supported

    On the attachment not supported there are no attachments and we are still getting this audit report:

    This is one example of thousands and this is after removing attachment not supported

    Rule Hit: U.S. SSN Laws: Attachment not supported, DLP Policy: Social Security Number, 7de714f8-99f0-48c9-82f4-263bffea9404, Action: AuditSeverityLevel, ModerateMessageByManager, GenerateIncidentReport Rule Hit: U.S. HIPAA: Attachment not supported, DLP Policy: Health Care Data, 119745b1-51de-47ba-9d42-1cb352d04f64, Action: AuditSeverityLevel, ModerateMessageByUser, GenerateIncidentReport

    Wednesday, May 1, 2019 5:26 PM
  • Btw, I removed (deleted) the "Attachment not supported" and still getting an incident report.
    Wednesday, May 1, 2019 6:26 PM
  • Hi BRIAN,

    Does only the rule named "Attachment not supported" select "send a incident report " condition?

    How did you remove the rule from the DLP policy?unchecked the rule ? or Delete the rule as below:

    If only the rule named "Attachment not supported" select "send a incident report " condition, you can delete this rule from all DLPs (US Financial & HIPPA & US Social) and wait for hours, then check if the same issue persists.


    Best Regards,
    Niko Cheng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Thursday, May 2, 2019 8:59 AM
    Moderator