When you are configuring data loss prevention policies, it can be hard to understand the full effect on users. Test mode is there so that administrators can make new DLP policies and monitor the effect and usefulness of the policy for users. You will receive an email with the results that contain incident reports, where a rule within the policy matches data in the specific locations. Reviewing these reports will assist you in determining whether the policy is working as it should be or whether you need to amend the policy before turning it on.
A good example of this is when you configure a policy that protects UK driving license numbers from being shared but when checking the data classification specs, you see that the internal product numbers the organization uses are almost identical to the pattern of the license numbers you are trying to protect. Here, you want to test the impact this policy would potentially have on users before activating it, and creating a policy in test mode can accomplish this.
To configure a policy in test mode, you need to follow the standard procedure of creating a policy. The next step is to decide whether you want to communicate with users that they are about to share sensitive content. Test mode can be implemented to be hidden or to show policy tips and send emails to users. Users can view their sensitive content if you do decide to inform them. This allows the user to report false positives if they occur. These can happen when information matches a pattern it is not meant to match with. This user feedback can be used to increase the value of a DLP policy.
In our UK driving license example, the license number and a phone number may have different patterns, but they can still have a string of numerical values that match both patterns. The DLP policy can both match the pattern and require other specific configurations to identify whether the value is a driving license number or a telephone number. In the case where a user is sending a client their mobile number, the policy will recognize that the driver’s license pattern is in proximity to a driver’s license identifier, which will result in the user being able to view a policy tip for the driver license policy.
Now that you understand the scenarios and real-life use cases in which you can implement a DLP policy in test mode, the following section will walk through how to enable test mode for an existing DLP policy.
Enabling test mode in an existing DLP policy
To allow test mode for your DLP policy, you are required to manage the DLP policy and go to the Test or turn on the policy page, and then follow these steps:
- Click on I’d like to test it out first.
- If you would like to show policy tips to users, then you should select Show policy tips in test mode. However, if this is not the case, then do not select this option.
- Click on Next and look at the policy summary.
- Click on Submit once you have reviewed the policy.
- You can review the information the policy matches by using the Reports dashboard.
- From within the Compliance Center, click on Reports and then click on DLP policy matches.
- From the Reports page, filter the policy you created and look at the results.
At this stage, you have reviewed the effect that a policy has on users from the Reports dashboard. You can amend the policy to change its sensitivity and add specific exceptions if you highlight words that continuously trigger false positives. In the next section, we will take a closer look at user notifications.
DLP rule – user notifications
You can notify users when a policy has been triggered. By allowing these notifications, users should be able to report false positives, which will allow you, as the admin, to adjust the policy’s sensitivity. The following steps outline how to enable user notifications for DLP rules:
- Modify the DLP policy and navigate to the Customize advanced DLP rules section.
- Click Edit on the DLP rule you wish to amend.
- From within the Edit rule window, navigate to the User Notifications section. Click On underneath the Use notifications to inform your users and help educate them on the proper use of sensitive info option.
You should now understand how user notifications work, where to enable them on existing policies, and the benefit they give to end users. In the final section of this chapter, we will discuss incident reports.
DLP rule – incident reports
When enabling test mode on an existing policy, you need to be updated about matches so that you can amend the sensitivity if the matches are causing a high percentage of false positives. In this scenario, we will be monitoring every rule within the policy for itself but not the overall policy match.
Follow these steps to configure incident reports within the DLP policy:
- While creating the DLP rules, in the Edit rule section, within the Incident reports section, under Use this severity level in admin alerts and reports, choose Low/Medium/High as the severity level.
- If you would like to receive a notification email, choose Send alert to admins when a rule match occurs and choose your email address, and then choose Send an alert every time an activity matches the rule.
- Determine the other parameters that have been offered to fine-tune the incident report.
You should now understand how to enable incident reports for an existing DLP policy. Now, let’s look back at what we have covered and what you should know now that you’ve completed this chapter.
Summary
In this chapter, we covered several different topics, including configuring data loss prevention for policy precedence, configuring policies for Exchange Online, SharePoint Sites, OneDrive, and Microsoft Teams, integrating Microsoft Defender for Cloud Apps with Information Protection and configuring policies in Microsoft Defender for Cloud Apps, and implementing data loss prevention policies in test mode.
In this chapter, you completed multiple lab exercises, but if you have not followed any of these, I strongly recommend that you do so before moving on to the next chapter.
The next chapter will focus on implementing and monitoring Microsoft Endpoint data loss prevention.
Leave a Reply