Preventing accidental and malicious data loss with DLP policies

Your organization will surely have data you don't want to be sent outside the environment. It may be HIPPA data, credit cards, social security numbers, or maybe all three. No matter what your organization does it will have data that needs to stay inside the environment. So how do you make sure users don't maliciously or accidentally send data to the world that they shouldn't? Data Loss Prevention (DLP) policies.

DLP policies are a way to scan data that is being saved or sent from your Microsoft 365 environment and then you can block it, warn the user, or warn someone else that the data is being sent. But enough chit-chat, let's jump in.

3 parts of a DLP policy

There are 3 important parts of a DLP policy. First is the DLP policy itself. The second is the rules. Lastly, is the sensitive info types. We are going to take these backward.

The Sensitive info type is the content that is being looked for. It can be a keyword, for example: "credit card number" or "cc", or it can be a regular expression, for example, "\d{3}-\d{5}-\d{5}", which tells Microsoft to look for 3 digits, a dash (-), 5 digits, a dash (-), and then 5 digits. There are also built-in functions that Microsoft has provided. Microsoft has provided a number of sensitive info types to help you get started.

Next, is the Rule. Rules combine the sensitive info types and what happens when you find it. For example, you can create a rule that searches for the sensitive info type or credit card information, and when it's found, it blocks it from being sent outside the organization. Or you can create a rule that searches for passport ID numbers and notifies the sender and admins that the content is being sent. A Rule can contain multiple sensitive info types but the actions that are applied when the content is found must be the same.

Finally is the DLP policy. The DLP policy says "where to search for" and what rules to apply to that location. For example, I can create a DLP policy that searches all Exchange emails for a rule that searches for credit card information and blocks it from going outside the organization. Or I can create a DLP policy that has multiple rules in it. For example, I can create a DLP policy that searches all of OneDrive. Then have 1 rule that looks for and blocks any social security numbers from being sent outside the company. And another rule that searches for credit card numbers and allows the content to be sent but notifies admins that it's being sent.

In short, a sensitive info type is "what to search for". Rules say "When content contains these sensitive info types apply these actions". DLP policies define what rules are applied to what locations.

How to set up a DLP Policy

1. Open the Compliance admin center > Data loss prevention > Policies > Create policy.

Create a DLP policy

2. Click Financial > U.S. Financial Data > Next.

Setup DLP policy for U.S. Financial data

3. On the "name your DLP policy" page click Next.

4. On the "Choose locations to apply the policy" page notice the settings you have. You can include or exclude exchange mailboxes, SharePoint sites, OneDrive accounts, Teams locations, and more. Click Next.

Choose locations to apply the policy

5. On the "Define policy settings" page click Next.

6. On the "Info to protect" page take notice of the settings. You can set the alert to go off if you are sharing the U.S. Financial data with users inside or outside your organization. Click Next.

Info to protect

7. On the "Protection actions" page take note of the settings. Here's where things get interesting.

Protection actions
  • You can define who's notified when content breaches the DLP policy.
  • You can set the minimum number of entries that will trigger the DLP policy. For example, "At least 10 or more instances of the same sensitive info type" in the U.S. Financial Data will mean the document or email that is being sent will require 10 credit card numbers before the alert is triggered. That means a user in your organization can send one to nine credit card numbers outside the environment before triggering the alert.
  • Next are the "Send incident reports in email" and "Send alerts if any of the DLP rules match" setting. This setting will send any global admin an email when content matches the DLP policy. You can also add anyone you want here.
  • Finally, is the "Restrict access or encrypt the content". This checkbox will allow you to automatically encrypt the information or set permissions on the content.

Click Next.

8. On the "Customize access and override settings" page you have some more options. If you check "Restrict access or encrypt the content in Microsoft 365 locations even more options will appear! I believe all the options on this page are pretty well explained so I won't waste our time. Click Next.

9. Verify Turn it on right away is selected and click Next. Click Submit. Click Done.

How to edit a DLP policy

Now we'll break down how the DLP policy is applied. Let's open a DLP policy to edit the settings.

1. Go to Compliance admin center > Data loss prevention > Policies. Click the checkbox next to the policy and click Edit policy.

Edit data loss prevention policy

2. Click Next until you are on the "Customize advanced DLP rules" page.

DLP Policy rules showing high volume and low volume

Notice there are two different rules: 1 for low volume of content detected and one for the high volume of content detected. If you click the arrows next to the names you'll see a quick breakdown of how the rules work. Now let's click the Edit button next to "Low volume of content detected U.S. Financial Data".

Edit Low volume of content detected U.S. Financial Data

Conditions

Microsoft DLP Policy conditions

The conditions section is asking "what are you looking for". To put it another way, when the content matches the conditions, apply the policy.

Notice there are two sections: Content contains and Content is shared from Microsoft 365. The AND in the middle of the two sections means to trigger this DLP policy they both need to be flagged as true. So if one of your users shares credit card information internally then the policy won't be triggered.

Now see the sensitive info types? Those are OR statements. That means only one of those has to be found to trigger the DLP policy.

So the DLP policy will trigger if a credit card number is found OR a U.S. Bank account number OR an ABA Routing Number AND shared outside the organization. Now let's talk about the sensitive info types.

The Sensitive info types are special rules mostly created by Microsoft to find certain information. You can see some information by hovering over the "I" next to the confidence level. The "I" will tell you what it's looking for and how the confidence level plays in. A higher confidence level will require more matching elements. For example, with the credit card number, a high or medium confidence will require it to find a credit card number AND a keyword. A low confidence level will just look for the credit card number.

Sensitive info types

The instance count is how many instances need to match to trigger the sensitive info type. Since we are currently looking at the "Low volume" rule it wants to find 1 - 9 numbers to match. If the DLP policy finds more than 9 then the rule won't be triggered. In this DLP policy instance, any more than 9 will trigger other "High volume"

Sensitive info types

Exceptions

The exceptions are pretty straightforward, it's a rule that, if matched, won't apply the policy to the content. For example, our current policy says "If the content contains Credit Card Numbers AND is shared with people outsize the organization". We could recreate the rule to say "If the content contains Credit Card Numbers EXCEPT if it's shared inside the organization"

Actions

The actions section is what happens when the content is matched. For example, we can encrypt the content and allow the email to be sent. Let's Add an action > Restrict access or encrypt the content in Microsoft 365 locations.

DLP Policy: Add an action > Restrict access or encrypt

Click the Checkbox Restrict access or encrypt the content in Microsoft 365 locations. Take note of the additional settings. In short, you can block people outside your organization or everyone from accessing the content.

Restrict access or encrypt the content in Microsoft 365 locations

User notifications

In the next section, user notifications, you can determine who's notified and how they are notified. You can notify the person that breached the DLP policy, the owner of the site, or OneDrive account, or the owner of the content. Additionally, you can add other users to always be notified. For example, you can set yourself to always receive a notification when the DLP policy is matched. Next, you can customize the text on the email or the policy tip. The policy tip is the bar that will appear at the top of your Office app that you are using when you matched the DLP policy.

User notifications

User overrides

The user overrides section allows users to override the policy. For example, if the DLP policy blocked the email from being sent then checking the below box would allow the user sending the email to override and send the email anyway.

DLP Policy user overrides

You have two options when allowing the override. Require a business justification to override allows the user to override the policy but they have to provide a reason. Override the rule automatically if they report it as a false positive will allow the user to send the content if they mark it as a false positive. For example, if the user sends the content that looks like a bank account and routing number but it isn't a bank account and routing number then the user can send the email.

Incident reports

In this section is the backend/admin reporting when the match occurs. The alerts will appear in the Compliance admin center > Data loss prevention > Alerts. You can also send an alert or report email to anyone in your organization. Finally, you have the information that is sent in the incident report.

Incident reports

Additional options

Finally, there are additional options. that are designed for when multiple DLP rules match the content. The first option is the ability to stop processing more rules. This is a good option if you have multiple DLP policies that may match the same content but you only want to apply this DLP policy. Next is the priority. The lowest priority is executed first. So a priority of 0 is executed first.

Additional options

How to create a sensitive info type

Finally, we're on to the sensitive info types. Remember when we used the credit card numbers, bank accounts, and routing numbers? We'll Microsoft allows us to create our own sensitive info types. Let's pretend the company we work for has assigned every customer a 13-digit Company ID. They typically look like this "111-12345-12345". Let's create a sensitive info type to detect that type.

1. Go to Compliance admin center > Data classification > Sensitive info types. Click Create sensitive info type.

Create sensitive info type

2. Name your sensitive info type "Company ID". Set the description to "Internal Company ID" Click Next.

3. Click Create pattern > Add primary element > Regular expression.

Microsoft 365 DLP info type New pattern

4. Enter an ID of "Company ID". Enter the following in the regular expression "\d{3}-\d{5}-\d{5}". Click Done.

Add a regular expression​

5. Click the Anywhere in the document checkbox. Then click Create.

Create new pattern

6. Click Next > Next > Create.

Now you can use your new sensitive info type in a DLP policy. So remember, if someone (or a question on the MS-500) asks you to verify a company ID doesn't leave the organization you'll first need to create a sensitive info type then create a DLP policy.