Enable DLP actions to trigger a workflow
DLP workflow - currently there is effectively no DLP workflow. You can block emails from leaving by implementing a DLP policy, but you cannot create a workflow where items violating DLP are routed to a DLP admin team who review it, and can then take further action (review, release, escalate etc). This is pretty bread and butter stuff, and we have had to abandon using 365 DLP (we are using Mailguard for this instead) because it simply can't do what we and our customers need. DLP is not a simple "yes / no" - we've received hundreds of false positives using the standard Australian PII rules in a matter of days - mainly phone numbers triggering it in signatures. It got so annoying that the only way we could handle it was to change the policy to flag it, but allow the messages to be delivered anyway. Which... kind of defeats the "Leakage Prevention" part of DLP.
It's a great idea, and one that needs to be taken more seriously by organisations across the board - but the tools provided within 365 are simply not up to scratch. You can't actually manage DLP using them.
Whether it is a workflow or not, there needs to be some type of an admin override for DLP policy false positives.
it's 2019 now and this is still an open issue.. the DLP workflow would be acceptable if you could disable policy tips completely and still generate user notifications, and then report against those user notifications.
At the very least generate a DLP audit event through the API, when a user triggers the policytip. As the original poster mentioned, by enabling policytips you lose the ability to report on DLP, unless you enable override.
JH Williams commented
It would be nice include in that workflow process a means to easily view the content without leaving the context of DLP
e.g. open up a report > click on the flagged item > review in place (see the highlighted section that matched) > assign a status (take further action) > move on the next items.
Is there a route to integration with an incident tracking tool like ServiceNow? Maybe via Azure Log Analytics?
It's worse in SharePoint Online. The only options are to either block anything which triggers the rule, including false positives, or allow anyone who receives the notification to override, which includes the user who originally put up the document. I want to be able to whitelist false positives, but I don't want the users to whitelist their own documents.
DLP policy tips are slowly in OWA and in outlook its appears immediately.
Spot on. Please built in a simple workflow to manage and track the DLP incidents.
DLP workflow - currently there is effectively no DLP workflow. You can block emails from leaving by implementing a DLP policy, but you cannot create a workflow where items violating DLP are routed to a DLP admin team who review it, and can then take further action (review, release, escalate etc).
YES!! Completely agree that workflow with release ability is BASIC functionality that should be in any DLP system.
Aline V. commented
It would be cool to have the ability to mark off false positives so that reporting is then accurate.
Aline V. commented
For reporting purposes, DLP policies should still be recognized beyond just (1) time so that you can make comparisons. Right now, once a file triggers a match, it only shows up on (1) date and beyond that, it does not show up again on the report. Only new files show up on the report.
A scan should be able to be made so that incident report emails can be sent to thoroughly analyze one drive and SharePoint dlp scenarios. Incident reports can only be triggered now for files uploaded after the DLP policy has been created.
Ben Bazian commented
The DLP policies need better tools to allow the fine tuning of the policies. We get way too many false positives for us to be able to block access. There should also be the ability to exclude certain senders from the policy that generate most of the false positives.