Now that we are familiar with the different settings available in Endpoint DLP, let’s use this knowledge and configure some DLP policies for endpoints. As usual, we will start by heading over to the compliance center at https://compliance.microsoft.com.
As we covered this in the previous chapter, you should now be accustomed to creating a DLP policy, but as we are looking to scope this for our endpoints, we need to add some settings to our policies.
Heading to our overview of DLP policies in the tenant, we will select the one that we are going to configure these Endpoint DLP settings for. In my example, I am using the U.K. Financial Data DLP policy as listed here:
Figure 8.9 – The table listing all of the DLP policies present in the Microsoft 365 tenant
Follow the steps shown next for configuring policies for endpoints:
- Click on the policy you wish to alter these settings for and select Edit policy at the top of the table listing your policies:
Figure 8.10 – Selecting the policy you wish to edit and clicking the Edit policy button
2. This will take us to the editing mode of our DLP policy. Unless you wish to edit the description of the policy, click Next to select the locations to apply the policy:
Figure 8.11 – The only editable thing here is the description of the policy; the name cannot be edited
3. Here, we will toggle the Devices switch to On, meaning that this policy will from now on also cover the devices onboarded to Endpoint DLP. We are given the option to scope which devices this policy would apply to, and which ones, if any, to exclude from the policy:
Figure 8.12 – Toggling the Devices switch to On
4. On the next page, Advanced DLP rules, expand either Low volume of content detected U.K. Financial Data or High volume of content detected U.K. Financial Data and click on the Edit button, which is visually present as a pen in the portal:
Figure 8.13 – Click on the pen to edit the rules for the DLP policy
5. Scroll down to Actions and select Audit or restrict activities on Windows devices from the Add an action drop-down list. Here, we can adjust the settings for Endpoint DLP, in audit, block, or block with override mode:
Figure 8.14 – Showing the possible enforcement for each setting for Endpoint DLP
6. Let’s change these settings as shown in Figure 8.15:
Figure 8.15 – The settings altered to meet our requirements
7. Once we have saved these settings, we can verify them by looking at the Customize advanced DLP rules page, which we are returned to after pressing Save, as the Actions portion now lists Audit or restrict activities on Windows devices:
Figure 8.16 – Showing Audit or restrict activities on Windows devices
8. We go forward through the edit guide and keep the policy in the Test mode so as not to interfere with our users’ daily work. We can now try to create an item containing any of the information types the DLP policy is looking for and try to copy it to a USB device. As the policy is in Test, no enforcements are in place, but we should be able to see it in the activity explorer:
Figure 8.17 – A dummy document created with a credit card number within
9. In the activity explorer in the compliance center, we can now see that the document was created, and when we try to copy it to a USB device, this will also be audited and logged for us:
Figure 8.18 – Showing the auditing in the activity explorer for our dummy document
10. If we expand the File copied to removable media log entry, we can see the file hash and file path, along with other relevant information:
Figure 8.19 – Showing the file information on an audit log event
And with that, we have edited our DLP policy to accommodate the Endpoint DLP settings as well.
Up next, we will look at to how to monitor endpoint activities using the compliance center.
Leave a Reply