Forum Discussion
Solved
Inbound Sensitive Information
Hello All,
We currently have some DLP policies to restrict Financial Data, HIPPA, and PII data from leaving our org.
However, is there a way to restrict this type of sensitive data from being sent into the org? For example, an external address sends some sensitive data to a specific mailbox. Can a DLP policy be created to block that data from reaching a specific mailbox and reply back the email was blocked due to the content?
Thanks for any info!
Thanks for the reply. From my testing this rule I created seems to do the trick.
New DLP Policy
Locations: set to all Exchange email.
Advanced DLP Rule:
Recipient Match
Conditions
Recipient is: <email of shared mailbox>
And
Content contains any of these sensitive info types: U.S. Social Security Number (SSN), Drug Enforcement Agency (DEA) Number, International Classification of Diseases (ICD-10-CM), International Classification of Diseases (ICD-9-CM)
And
Content contains any of these sensitive info types: Credit Card Number, U.S. Bank Account Number, ABA Routing Number
And
Content contains any of these sensitive info types: U.S. Individual Taxpayer Identification Number (ITIN), U.S. Social Security Number (SSN), U.S. / U.K. Passport Number
Evaluate predicate for Message or attachmentActions
Notify users with email (customize email body)
Restrict access to the contentUnder the User notifications section I have a custom message stating the message was found to have sensitive information and was not delivered.
So far when sending and email containing the above sensitive info from an external account the message does appear to be getting blocked. It does take awhile for the email notification to be delivered but it eventually comes through.
Do you see any issues with this rule?
AakashMalhotraMicrosoft
DLP does scan incoming email as well. You can use the condition "Content is received from"
Note that you should not select any user or group in policy scope, as that limits to internal senders.Thanks for the reply. From my testing this rule I created seems to do the trick.
New DLP Policy
Locations: set to all Exchange email.
Advanced DLP Rule:
Recipient Match
Conditions
Recipient is: <email of shared mailbox>
And
Content contains any of these sensitive info types: U.S. Social Security Number (SSN), Drug Enforcement Agency (DEA) Number, International Classification of Diseases (ICD-10-CM), International Classification of Diseases (ICD-9-CM)
And
Content contains any of these sensitive info types: Credit Card Number, U.S. Bank Account Number, ABA Routing Number
And
Content contains any of these sensitive info types: U.S. Individual Taxpayer Identification Number (ITIN), U.S. Social Security Number (SSN), U.S. / U.K. Passport Number
Evaluate predicate for Message or attachmentActions
Notify users with email (customize email body)
Restrict access to the contentUnder the User notifications section I have a custom message stating the message was found to have sensitive information and was not delivered.
So far when sending and email containing the above sensitive info from an external account the message does appear to be getting blocked. It does take awhile for the email notification to be delivered but it eventually comes through.
Do you see any issues with this rule?
I am curious, why did you include the SSN SIT multiple times?
I think DLP Policy created to prevent sharing sensitive information type to unauthorization, or from internal to external. Not to block information from external, but cmiiw
