🎉 Our Office 365 Reporting Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.

How to Identify Emails Detected by DLP Policies in Exchange Online

DLP rule detections in Exchange Online emails indicate that sensitive data is being attempted to be shared within your organization. Repeated violations of DLP rules by users may signal a deliberate attempt to extract sensitive information. This guide will help you identify DLP rule matches in Exchange Online emails, enabling you to respond swiftly and protect data integrity.

Native Solution

Microsoft 365 Permission Required

High
Least Privilege

Information Protection Investigator

Highest Privilege

Global Admin

Option 1 Using Microsoft Purview Compliance Portal

  • Log in to the Microsoft Purview compliance portal.
  • Navigate to the Activity explorer under Solutions»Data loss prevention.
  • Set the Activity filter to DLPRuleMatch and the Location filter to Exchange.
  • This will provide a DLP event log for rule matches in Exchange Online.
Using Microsoft Purview Compliance Portal
  • Note: By default, this explorer will show DLP rule detections from the last 7 days. You can adjust the filter to see up to 30 days.

Option 2 Using Windows PowerShell Script

  • While Microsoft has deprecated the 'Get-DlpIncidentDetailReport' cmdlet, which listed DLP rule detections for the past 30 days, the 'Export-ActivityExplorerData' cmdlet is now available as an alternative.
  • Unlike the deprecated cmdlet, this new one retrieves DLP rule matches for any 30-day period, rather than being specific to the last 30 days. However, it requires additional filtering to present the data in a user-friendly format.
  • To overcome these limitations, we’ve developed a PowerShell script that audits and exports a detailed report of DLP-matched events, extending beyond the 30-day limit.
  • The script is designed to generate four different DLP rule match reports, including one for Exchange Online.
  • To get the Exchange Online DLP rule match report, run the script with the parameter WorkloadCategory set to 'Exchange', as shown below.

    ./AuditDLPRuleMatch.ps1 -WorkloadCategory Exchange
Using Windows PowerShell Script
AdminDroid Solution
More than 150 reports are under the free edition.

AdminDroid Permission Required

Any user with report access delegated by the Super Admin.

StepsUsing AdminDroid

ad
  • Log in to the AdminDroid Office 365 reporter.
  • Navigate to the DLP Rule Detected Mails report under Audit»Exchange»Data Loss Prevention»Rule Matches.
Using AdminDroid

This report consolidates all Exchange emails detected by DLP rules, providing details such as sender address, receiver address, email subject, BCC, CC, user type, email received time, policy details, and more.

dlp-rule-matched-emails-summary-chart-admindroid
  • Use the built-in chart to visualize the daily summary of DLP-detected emails per user, highlighting those who triggered DLP rules most frequently.

Identify DLP Violations to Improve Email Protection Strategy!

Proactively detect DLP rule matches with AdminDroid to control unauthorized sharing of sensitive data. Ensure compliance with mandates such as GDPR, HIPPA, or SOX to safeguard confidential information like client records, financial data, and personally identifiable information (PII), etc.

Witness the report in action using the

Important Tips

Integrate Adaptive Protection with DLP policies to automatically secure data by applying and adjusting them based on user risk levels.

Use sensitivity labels as conditions in DLP policies to achieve more precise data protection based on the content classification.

Reduce DLP mismanagement by creating custom policies with organization-specific keywords, which helps to minimize false positives and improve accuracy.

Exchange Online Implement Data Loss Prevention Strategies to Safeguard Your Organization’s Data in Exchange Online

Showing 1 of 4

How to create a DLP policy for Exchange Online in M365?

Creating a DLP policy for Exchange Online is essential to prevent the accidental or intentional sharing of sensitive information via email. This automatically detects and blocks sensitive data, such as credit card numbers and confidential documents, from being sent outside your organization.

Here are the step-by-step instructions to set up a data loss prevention policy in Microsoft 365.

Create Custom DLP Policy for Exchange Online

  • Sign in to the Microsoft Purview compliance portal and navigate to Solutions»Data loss prevention»Policies, then click Create policy.
  • Select Custom under the Categories and Custom policy from the Regulations lists. Then click Next.
  • Give your policy a name, description, and click Next.
  • To apply policy to a specific group of people, select the desired admin units using the Add or remove admin units option, or keep it as a Full directory, then click Next.
  • Choose Exchange email and other desired locations you want to apply policy. Then click Next.
  • Select the option Create or customize advanced DLP rules and click Next.
  • Click Create rule, then give a name and description to the rule.
  • Specify the desired criteria that define what kind of data should be flagged by the DLP policy in the Conditions section.
  • Add the actions that need to be taken when the rule matches the conditions defined in the Actions section.
  • Use the Incident reports section to set up the alert, severity, and threshold to notify when the rule condition is matched.
  • Click Save once you have configured required settings and then hit Next.
  • Set the policy mode to Run the policy in simulation mode and then click Next.
  • Review the policy details and settings, click Submit, and hit Done. Then, perform the events that match the created DLP policy’s conditions.
  • Select your DLP policy and click View Simulation. Evaluate its accuracy and effectiveness, then hit the Turn the policy on.

Note: Microsoft provides over 40 built-in policy templates for common industry regulations and compliance, which you can use as-is or customize to meet your specific needs.

create-dlp-policy-and-rule
dlp-simulation-mode-purview

How to view & export DLP policies and rules in Office 365?

Reviewing and exporting DLP policies and rules in Microsoft 365 is essential for ensuring that your data protection strategies are effective. Without regular oversight, security gaps can easily emerge, leaving sensitive information vulnerable to breaches.

View and Export DLP Policies Using the Purview Portal

  • Navigate to Solutions»Data loss prevention»Policies in the Microsoft Purview portal.
  • Here, you can view all the DLP policies configured in your organization.
  • Click the Export button to download the DLP policies as a CSV file.
export-dlp-policies

Note: In the Purview portal, you can view basic details such as the policy name, priority, last modified date, and status, but there is no option to view DLP rules.

View and Export DLP Policies Using PowerShell

  • To view and export the DLP policies using PowerShell, you can use the 'Get-DLPCompliancePolicy' cmdlet from the Security and Compliance module. Similarly, to export the rule details, the 'Get-DLPComplianceRule' cmdlet can be used.
  • In order to export all the available DLP policies configured along with their rules and configurations, execute the following PowerShell script.
    Connect-IPPSSession 
    Get-DLPCompliancePolicy | ForEach-Object { 
    $policy = $_; Get-DLPComplianceRule -Policy $policy.Name |
    Select-Object @{Name="PolicyName";Expression={$policy.Name}}, @{Name="PolicyMode";Expression={$policy.Mode}},
    @{Name="PolicyPriority";Expression={$policy.Priority}}, @{Name="PolicyLastModified";Expression={$policy.WhenChanged}},
    @{Name="PolicyCategory";Expression={$policy.PolicyCategory}}, @{Name="Workload";Expression={$policy.Workload}},
    @{Name="RuleName";Expression={$_.Name}}, 
    @{Name="RuleMode";Expression={$_.Mode}},
    @{Name="RuleLastModified";Expression={$_.WhenChanged}}, @{Name="RuleDisabled";Expression={$_.Disabled}}
    } | Export-Csv -Path "<FilePath>" -NoTypeInformation

Note: Make sure to replace '<FilePath>' with the actual CSV file path where you want to save the output.

dlp-policies-and-rules-details

How to find out who modified DLP policies in Microsoft 365?

Untracked changes to DLP policies in Microsoft 365 can disrupt data protection and make your organization vulnerable to sensitive data leaks. Regular audits of DLP policy and rule changes help you identify who made modifications and ensure your data protection measures stay consistent and effective.

Analyze Data Loss Prevention Activity Logs Using the Purview Portal

  • Navigate to the Audit section in the M365 Purview portal and customize the date and time range as needed.
  • Select the following operations in the Activities - friendly names field and click Search.

    Created DLP rule, Updated DLP rule, Deleted DLP rule, Created DLP policy, Updated DLP policy, Deleted DLP policy

dlp-management-activities

Once the search is completed, select the search name and click Export to download the DLP management activity logs.

Audit DLP Modifications Using the Exchange Online PowerShell

To view all DLP activities in M365, connect to Exchange Online PowerShell using the 'Connect-ExchangeOnline' cmdlet. Then, run the following cmdlet, replacing '<MM/DD/YYYY>' with the desired start and end date.

Search-UnifiedAuditLog -StartDate <MM/DD/YYYY> -EndDate <MM/DD/YYYY> -Operations "New-DlpComplianceRule, Set-DlpComplianceRule, Remove-DlpComplianceRule, New-DlpCompliancePolicy, Set-DlpCompliancePolicy, Remove-DlpCompliancePolicy" | Export-Csv –Path "<FilePath>"

dlp-management-activities-cmdlet

Simplify the process of identifying who modified the DLP policies and rules with AdminDroid!

  • With the Data Loss Prevention Policies and Rules report in AdminDroid, you can view all DLP activities in your organization effectively.
  • This report offers detailed insights into DLP policy changes performed by users, with customizable filters to focus on specific data.
dlp-and-rules-admindroid

What are the best practices for Exchange Online DLP?

Managing DLP policies in Exchange Online can be challenging, and poor configurations often lead to sensitive data being exposed through email communication. Mishandling sensitive data puts your organization at risk of data breaches and non-compliance.

To prevent email data leaks and keep your Exchange Online environment secure, consider the best practices for data loss prevention listed below.

  • Start with Predefined DLP Templates: Microsoft 365 provides predefined DLP templates based on industry standards (e.g., financial, medical and health, or privacy). Begin with these templates to quickly implement basic protection for common sensitive data types. After evaluating their initial effectiveness, customize the templates to suit your organization requirements.
  • Identify and Classify Sensitive Data: If predefined sensitive data types are insufficient, create custom ones to match your organization’s needs. Thoroughly identify and classify sensitive data in your organization before setting up DLP policies. For example, a healthcare organization might classify patient records as PII, financial transactions as high-value data, and research findings as intellectual property.
  • Start with Simulation Mode: Initially deploy DLP policies in simulation mode to monitor their performance without enforcing them. This approach helps assess potential false positives and understand the policy’s impact on your organization’s workflows. Then, analyze the DLP incident detail report to fine-tune the policies before full enforcement.
  • Layered Protection Strategy: Combining DLP policies with sensitivity auto-labeling creates a resilient approach to data security. Labeling data as soon as it's created helps ensure users are aware of the type of data they're handling. This proactive approach prevents accidental exposure. When labels enforce encryption, data remains protected, even before DLP policies are activated during sharing.
  • Control DLP Policy Access in Microsoft 365: Ensure that only authorized users have access to configure, monitor, and manage DLP policies in Microsoft 365. Assign roles like DLP Compliance Management and View-Only DLP Compliance Management in Microsoft Purview to delegate permissions. These roles allow users to view settings and perform specific operations in DLP management.
  • Keep DLP Policy Independent: In Microsoft 365, emails are first checked by mail flow rules and then by DLP rules. To achieve an effective setup, avoid linking DLP actions with transport rule conditions, as they don’t re-evaluate each other. For example, if a DLP rule action adds recipients to the mail, the mail flow rules won’t recheck the email for those new recipients.

AdminDroid Exchange Online Auditing ToolEmpower your compliance efforts with detailed DLP incident report in Exchange Online!

AdminDroid's Exchange Online auditing tool enables you to monitor all DLP rule matches across your organization. The following capabilities give you full control over your Exchange Online emails to facilitate secure data management.

A Quick Summary

Refine DLP Rule Match Insights with Advanced Filters

Easily customize reports with intuitive filters to quickly identify and monitor DLP rule match activities within a specified time frame.

Stay Updated on DLP Alerts for Better Email Security

Leverage AdminDroid’s DLP alert template for real-time notifications on emails flagged by DLP rules, allowing you to instantly review and take remediate action.

Sensitive Data Trend Analysis with Transport Rule Hits

Regularly analyze transport rule hits to uncover trends, such as common keywords and content types, helping you update and strengthen DLP policies.

Identify Actual User Behind DLP Policy Violations

Utilize the Send As activities report to identify the actual sender responsible for violating the DLP policy, ensuring accurate identification of the user behind sensitive data leaks.

Monitor External Emails to Strengthen DLP

Audit emails sent to external domains to identify unauthorized data leaks and enforce proper DLP policies to keep your organization compliant.

Automated Tracking of DLP Rule Matched Emails

Easily track daily email violations of DLP rules by scheduling the DLP detected emails report to get insights at regular intervals without missing any.

In conclusion, AdminDroid's Exchange Online management tool offers a comprehensive solution to find DLP rule matches. With detailed reports and automated monitoring, it ensures sensitive data is protected and supports compliance within your Microsoft 365 environment.

Kickstart Your Journey with AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities!

Common Errors and Resolution Steps While Managing DLP Policies and Tracking its Incidents

The following are the possible errors and troubleshooting hints while creating DLP policies and auditing emails detected by DLP policies in Exchange Online.

Error: Rule must contain at least one condition. Define the condition that must be met for this policy to be applied.

This error occurs when you try to create a DLP rule without any condition. 

Troubleshooting hint :To resolve this error, add at least one condition to the rule while creating the DLP rule.

Error: At this time, the following location isn’t supported for enhanced DLP templates: On-premises file repositories. Exclude it or go back and choose a non-enhanced template. 

This error occurs when you try to include 'On-premises repositories' location into default policy template under Enhanced categories. 

Troubleshooting hint :Default policy templates in the Enhanced category don’t support 'On-premises file repositories' currently. Therefore, you need to exclude it from the locations section while creating a DLP policy. 

Error: ServerError: ServerError: 400Type: too_long_frame_exception Reason: "An HTTP line is larger than 4096 bytes."

This error can occur when attempting to retrieve activities from more than 30 days ago in a single request using the 'Export-ActivityExplorerData' cmdlet.

Troubleshooting hint :Instead of searching for activities from 30 days ago in one request, break the date range into smaller segments (e.g., weekly intervals) and run multiple searches. This reduces the payload size and avoids exceeding the byte limit.

Error: Error with the inputs provided. RequestId:15703aeb-a17a-4e81-8554-6f838c117f67; Search duration is too long. Please select a date range less than 6 months.

This error occurs in the audit log search of the Purview portal when the selected date and time range exceeds the 180-day limit.

Troubleshooting hint :In Microsoft Purview Audit (Standard), logs are retained for a maximum of 180 days, so ensure your search falls within this time range.