Reviewing and analyzing DLP reports- Microsoft SC-400 Certification

With both the DLP Policy Matches report and the DLP Incidents report page, there is a chart and a table you will be able to view that display information based on their corresponding events.

When analyzing both these reports, you have the ability to break down the charts and separate them by either of the following:

  • Affected service
  • Enforced action
  • Applied policy

You will need to familiarize yourself with the existing filters of DLP that will aid you in fine-tuning the policies and limit the false positives and overrides.

Reviewing DLP policy matches

When you are utilizing DLP policy match reports, it is recommended to use filters to reduce the report to particular policies. This will aid in lowering the number of matches that are viewable and concentrate on the effect of the specific policies in your tenant.

Imagine a scenario in which you created a new policy to protect financial content a week ago and it is currently in test mode. In this case, you need to set the start date within the filter to be close to the start date of the policy to prevent whitespace in the report from before the policy creation date. The following steps will outline how you can accomplish this:

  1. Navigate to the DLP Policy Matches page and click on Filter (in the right corner).
  2. Choose a start date close to the date you created the policy.
  3. Underneath Services, ensure all services are chosen.
  4. Underneath Policies, choose the DLP policy you wish to review in the drop-down menu.
  5. Underneath Rules, choose all the rules, and then click on Apply.
  6. You can utilize the drop-down menu at the top of the page to amend the breakdown of the chart. This will help you get a better insight into how and where the policy is affecting users.
  7. Click on Chart breakdown by Services.
  8. From within the drop-down menu, click on Chart breakdown by Action.
  9. Choose an option from the legend to filter the results even further.
  10. Utilize the table to review which rule matched as well as the sensitive information that is responsible for the match.
  11. Alternate between the breakdown choices and amend the filters to find peaks in specific services and ties that may indicate a requirement to amend the policy.

Following on from the previous lab exercise, imagine a spike in the exchange service for bank account number details. This may suggest a leak; however, it may also suggest a legitimate business practice that is conflicting with the new policy. It is recommended to investigate the reason behind this conflict before amending the policy.

In this section, we looked at reviewing DLP policy matches. Now, we will look at reviewing DLP incidents.

Reviewing DLP incidents

You can use the DLP Incidents report to get an overview of which objects create more matches than others. When utilizing this overview, you should not constrain the report to specific policies. By doing this, it will enable you to identify items that come under the scope of several policies and review which action is applied in the end. When utilizing the DLP Incidents report, you should try to keep the timeframe wide-ranging and drill down if you find any peaks at specific times.

Imagine a scenario where you have created a new set of DLP policies and put them in order according to your organization’s DLP strategy. If you wish to review whether or not the priority you chose matches the reality of sensitive data in the organization, you should open the DLP Incidents report page and follow these measures:

  1. Click on Filter in the right corner.
  2. Choose a start date and an end date.
  3. Underneath Services, ensure all services are chosen.
  4. Click on All Policies in the drop-down menu.
  5. Click on Apply.

Not only can you utilize DLP incident reports to see items that conflict with the policy priority, but you can also use them as a tool to find objects that create high-volume matches. This data enables you to think of additional protective methods for these items for the DLP policies.

Imagine a scenario in which you notice documents with five times as many policy matches as the next highest match count. Although the protective action stops these files from being shared, you may want to consider saving them at a more secure location.

After completing this section of the chapter, you should be able to understand how to review DLP incidents. Now, we will take a closer look at reviewing DLP false positives and overrides.

Leave a Reply

Your email address will not be published. Required fields are marked *