Recently found the need to filter, or at least be aware of e-mails being sent that contained specific information. An example would be legal matters, where certain information shouldn't be e-mailed outside of the company. Creating a Sensitive Information Rule and combing that with a Data Loss Prevention Policy, you can have that information blocked, or at least the appropriate person or persons notified.
Overall this scenario came about with regards to building a better internal auditing system. Creating the DLP alone isn't the only thing needed to build a more complete picture of what "users" may be doing, but only a piece of the puzzle. In most cases you need to combine it with at least File Server auditing, and local workstation auditing to build the larger picture.
Creating and importing custom Classifications
- First you need to create your custom policy XML
- Save as XML Unicode UTF-8 file with an extension of XML.
- Open the XML in internet explorer if its formatted correctly you will see the XML.
- Then import with Powershell New-ClassificationRuleCollection –FileData ([Byte]$(Get-Content -path INSERT YOUR PATH -Encoding byte -ReadCount 0))
- Once its imported you should be able to create a new DLP policy using the EAC
Creating a custom DLP Rule
- Login to EAC (i.e https://mail.domain.com/ecp)
- Click Compliance Management, data loss prevention
- Click the Plus , then New custom policy
- Name your policy and Choose your mode (I like to test with Policy tags), and click Save
- Select the policy and click the edit your new policy
- Select Rules from the left
- Click the to Create a new rule
- On the Apply this rule if field choose The message contains Sensitive information..
- Click *Select sensitive information types….. (if applicable)
- Click the to choose from the list,
- You should now see your new classification
- Regex – http://gskinner.com/RegExr/
- GUID creator – http://www.guidgenerator.com/online-guid-generator.aspx
- Technet – http://technet.microsoft.com/en-us/library/jj674704(v=exchg.150).aspx
The one thing I noticed that caused some issues from other examples such as: http://technet.microsoft.com/en-us/library/jj674703%28v=exchg.150%29.aspx and http://exchangemaster.wordpress.com/2013/05/15/creating-custom-dlp-classification-rules-and-policy/ is that they mention UTF-16 in the header, as well as TechNet uses a command block. I found that using either example caused an error upon import via powershell. Notice the difference in my example below that I had to switch it to UTF-8 to get powershell to even read the XML.
Need to make sure you replace the below GUID's with self created ones form above.
<?xml version="1.0" encoding="utf-8"?> <RulePackage xmlns="http://schemas.microsoft.com/office/2011/mce"> <RulePack id="797f6b49-682c-42e4-8577-aac6eadd1428"> <Version major="2" minor="0" build="0" revision="0"/> <Publisher id="1a2d8dc3-075b-4ad5-8116-20e90314ade2"/> <Details defaultLangCode="en-us"> <LocalizedDetails langcode="en-us"> <PublisherName>Aaron Bianucci while at FHP</PublisherName> <Name>Test Keyword</Name> <Description>This is a test rule package</Description> </LocalizedDetails> </Details> </RulePack> <Rules> <Entity id="365fa6fb-9a59-4750-b82f-14647b382319" patternsProximity="300" recommendedConfidence="85" workload="Exchange"> <Pattern confidenceLevel="85"> <IdMatch idRef="Regex_Exchange" /> <Any minMatches="1"> <Match idRef="Regex_DLP" /> <Match idRef="Regex_2013" /> </Any> </Pattern> </Entity> <Regex id="Regex_Exchange">(?i)(\bExchange\b)</Regex> <Regex id="Regex_DLP">(?i)(\bDLP\b)</Regex> <Regex id="Regex_2013">(?i)(\b2013\b)</Regex> <LocalizedStrings> <Resource idRef="365fa6fb-9a59-4750-b82f-14647b382319"> <Name default="true" langcode="en-us"> Test Rule Pack AMB </Name> <Description default="true" langcode="en-us"> Test rule pack - Detects Aaron Drone </Description> </Resource> </LocalizedStrings> </Rules> </RulePackage>