{"id":1610,"date":"2018-03-23T01:00:00","date_gmt":"2018-03-23T01:00:00","guid":{"rendered":"http:\/\/inswwdev.azurewebsites.net\/au\/insights\/uncategorized\/office-365-data-loss-prevention-dlp-setup-for-a-simple-phrase\/"},"modified":"2018-03-23T01:00:00","modified_gmt":"2018-03-23T01:00:00","slug":"office-365-data-loss-prevention-dlp-setup-for-a-simple-phrase","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/us\/insights\/geek-speak\/secure-workplace\/office-365-data-loss-prevention-dlp-setup-for-a-simple-phrase\/","title":{"rendered":"Office 365 Data Loss Prevention (DLP) \u2013 Setup for a simple phrase"},"content":{"rendered":"

Data Loss Prevention (DLP) is a huge topic and with GDPR and privacy legislation in Australia, data breach notification is mandatory and leaks are newsworthy. People who leak are becoming martyrs \u2013 just think about Edward Snowden and Julian Assange.<\/p>\n

Implementing a custom DLP policy in Office 365 is a bit of a learning curve, it involves importing a custom XML, working with RegEx and A LOT of testing. We found that, even for a single word it can be tricky and not work as expected.<\/p>\n

WHERE IT SHINES<\/span><\/h3>\n

DLP is extremely useful in cases where the word or phrase isn\u2019t common or is unique to your business such as a credit card number, unique employee ID or top-secret file naming convention.<\/p>\n

Here is a sample XML file for detecting a string \u201c#TOP-SECRET#\u201d. This should be unique enough that it won\u2019t trigger unnecessarily (its case sensitive) and you can put this classification in your top-secret documents. The string in the entity is a normal Regex expression which means it\u2019s extremely powerful. There are also ways to match data to other nearby data such as a Credit Card number and the expiry date but for this blog we are keeping it simple. I won\u2019t go into explaining the XML as there is a good guide\u00a0<\/span>here<\/a>.<\/p>\n

\"\"\"\"<\/p>\n

Steps to use the new rule<\/span><\/h3>\n

1. Import the rule to Office 365 DLP (Connect to Office 365 Security and Compliance PowerShell first)<\/h4>\n

\"\"<\/p>\n

2. Logon to the Security and Compliance Centre and click on Policy -> Create a Policy<\/h4>\n

\"\"<\/p>\n

3. Choose a Custom Policy and click Next<\/h4>\n

\"\"<\/p>\n

4. Name your policy and give it a description<\/h4>\n

\"\"<\/p>\n

5. Choose where to protect your content, for this test we will protect all data (SharePoint, OneDrive and Exchange)<\/h4>\n

\"\"<\/p>\n

6. On the policy settings screen \u2013 choose \u201cEdit\u201d<\/h4>\n

\"\"<\/p>\n

7. Drop down the menu and choose \u201cSensitive Information Types\u201d<\/h4>\n

\"\"<\/p>\n

8. Click on \u201cAdd\u201d then choose the sensitive information type you imported<\/h4>\n

\"\"<\/p>\n

9. Leave the accuracy Min and Max at 100 as this is an exact match scenario and click \u201cSave\u201d<\/h4>\n

\"\"<\/p>\n

10. Customise the notification settings with your rule to match what you require \u2013 make sure you put the \u201cDetect when content that\u2019s being shared contains\u201d down to 1 instance \u2013 otherwise it will be hard to trigger this rule<\/h4>\n

\"\"<\/p>\n

11. Review the settings of the rule and click on \u201cCreate\u201d \u2013 Then wait at least 15-30 minutes before testing the rule.<\/h4>\n

The rule will then block your email based on the conditions you set!<\/h4>\n

\"\"<\/p>\n

THINGS TO BE AWARE OF<\/span><\/h3>\n