Notes from the Field: Custom DLP Sensitive Types

Notes from the Field: Custom DLP Sensitive Types

If you read the Office 365 messages that appear in your tenant, then you will have noticed that a single announcement about Sensitive Types for Data Loss Prevention. Here's what that means.

If you read the Office 365 messages that appear in your tenant, then you will have noticed that a single announcement about Sensitive Types for Data Loss Prevention.

Clicking on the item, displays all the details about this change.

 

If you read the notice then you will see that Microsoft has expanded support for custom sensitive types beyond Exchange to also include SharePoint, OneDrive, Outlook, Office Clients, and supported mobile apps. In order to make the most of this you need to understand how to create a sensitive type using the XML definition format.

To retrieve any existing XML definitions, you must first connect to Office 365 and use the Get-ClassificationRuleCollection (more details on this command can be found here). To connect to Office 365, you can use the following PowerShell.

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session

Once this has completed you will be presented with a valid session displaying the list of commands that are now available to you in your PowerShell session.

Now we can run the Get-ClassificationRuleCollection command, which will probably prompt for credentials again and load that command into the PowerShell session too. Once loaded you can for example access the rule collection by name using the following PowerShell commands.

Get-ClassificationRuleCollection “Microsoft Rule Package” | Format-List

This will just return the basic properties of the category, to get an export of all the rules we would use the following PowerShell.

$rulesCollection = Get-ClassificationRuleCollection
Set-Content -path "C:\Output\exportedRules.xml" -Encoding Byte -Value $rulesCollection.SerializedClassificationRuleCollection

Once this has completed you can open the exported file, and using search/find go down to the “” section where all the specific rules are stored for the specific package you exported.

From here you can modify or amend any of the values as needed. For this example though we will create a brand new policy and a new custom package that is unique. To do this first create a new XML file using your editor of choice and add the following:

The GUIDs can be generated by you and do not need to match the ones shown above. Once created save the XML file to the disk somewhere. Now we need to import the newly created rule by using the following PowerShell:
 
New-DlpSensitiveInformationTypeRulePackage -FileData (Get-Content -Path “C:\Output\CustomRule.xml” -Encoding Byte)
 
This will validate the XML and then import it, returning the following output.
 
To utilize the newly created policy, from the Admin Center, access the Security & Compliance center, and choose the Classifications blade and choose Sensitive information types. 
Scrolling through the list you will see the newly created type.
To now use this within a new policy, navigate to Data loss prevention, and choose the Policy option. Click the Create Policy button, then choose Custom and press the Next button. Give the policy a name and a description. Set the locations as needed, for me I set it to all of them. Next set the Use simple settings and select the Edit link. Select the Sensitive Types option from the dropdown.
Next press the Add button, and search for the custom one you created, for me I typed “hello” and my results was displayed.
Check the policy and press the Add button, followed by the Done button, then press Save. Press Next and then set any options as needed.
 

Press the Next button and then you can specific whether to test it, turn if on or keep it off as you need. Once set, press Next and then press the Create button. This will then create the new rule, based on the custom XML we uploaded into the Security & Compliance center. Further changes can be made simply by exporting out the file and amending as needing then updating using the PowerShell command:

Set-DlpSensitiveInformationTypeRulePackage

As an example if we wanted to find content that matched this format “274958HELLOITSL”, then we would use a regex to find this within the content we assign it too. Within the existing files we created we can add the following two blocks of XML:

Policy, Regex and Keyword to search on

String values associated to the new Policy

Now we can run the Set command using the following.

Set-DlpSensitiveInformationTypeRulePackage -FileData (Get-Content -Path “C:\Output\CustomRule.xml” -Encoding Byte)

This command, once validated the XML will prompt to update as needed.

The new one should then be listed alongside the original one and be available to use like the previously created one.

All in all, this is a great function allowing you to create rules that are organization specific to the content you wish to control. 

More details of what you can do, along with examples of the XML structure can be found here.

 

 
 
 

 

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish