Data Loss Prevention

Through compliance templates and data identifiers, Data Loss Prevention policies allow companies to monitor the flow of sensitive information stored in cloud applications and services.

Define data identifiers and compliance templates for specific regulatory controls
Target specific user mailboxes, SharePoint sites, or cloud application users and groups

Configuring Data Loss Prevention

Select Data Loss Prevention.
Enable Data Loss Prevention.
Optionally select Display violating content in logs with sensitive data Masked/Unmasked.
This provides flexibility for you to determine how sensitive data of your organization will be handled in Data Loss Prevention logs on Cloud App Security for privacy concerns.
- If the check box is not selected, Cloud App Security does not record and display violating content, including the sensitive data that triggered a Data Loss Prevention violation, in the Violating Content column in Logs.
- If Display violating content in logs with sensitive data Unmasked is selected, Cloud App Security records and displays violating content in the Violating Content column in Logs. The sensitive data that triggered a Data Loss Prevention violation is displayed without being masked.
  
  Note:
  Violating content including the sensitive data to display does not exceed 300 characters.
- If Display violating content in logs with sensitive data Masked is selected, Cloud App Security records and displays violating content in the Violating Content column in Logs. The sensitive data that triggered a Data Loss Prevention violation is replaced with asterisks (*), except for the last four characters.
  
  Note:
  If the sensitive data is no longer than four characters, it is displayed without being masked.
The default value is Display violating content in logs with sensitive data Unmasked.

If this setting is changed, it applies only to subsequent violating content. The previous content is not affected.

Configure Compliance Rule(s) settings.

Add or remove compliance templates, then select the action.

Note:

For the actions applied to Salesforce, see the following table.

Pass	Cloud App Security records the detection in a log and the object record content is unchanged.
Quarantine	For text contents: Cloud App Security replaces half of the content violating the policy with asterisks (*) and moves the content to a restricted custom object. The quarantined content is not editable. For files: Cloud App Security moves the file to a restricted custom object and replaces it with a pre-configured file, informing the user that the original file violated a specific Cloud App Security policy and was replaced. Note: For files with a version history, for example, Chatter File, Cloud App Security does not remove it, but adds a feed comment to warn the user that the file violated a specific Cloud App Security policy.
Delete	For files: Cloud App Security deletes the file and adds a pre-configured replacement file, informing the user that the original file violated a specific Cloud App Security policy and was removed. Note: For files with a version history, for example, Chatter File, Cloud App Security deletes the file and adds a feed comment to warn the user that the file violated a specific Cloud App Security policy and was removed. For text contents in Chatter and Community: Cloud App Security deletes the entire content. For text contents in Note, Cloud App Security deletes the note content and adds pre-configured text, informing the user that the original content violated a specific Cloud App Security policy and was removed. For text contents in other Salesforce object records: Cloud App Security records the detection in a log and replaces the entire content violating the policy with asterisks (*).

For more information about each action applied to the other services and applications, see Chapter Advanced Threat Protection of the documentation.

Edit existing custom compliance templates.
Import new custom compliance templates.

Click Show Advanced Options.
Optionally select the Configure actions dedicated to files check box to separately configure actions for files.
If the Tag file name action is selected, specify the tag to amend to the file name.

Note:
The tag cannot exceed 20 characters or contain unsupported characters (/ \ : * ? < > " |).
Specify text to replace the original file content when a file is quarantined or deleted.
Note:
This option is not available for Exchange Online and Gmail.

Configure Notification settings.

Option	Description
Notify administrator	Specify message details to notify administrators that Cloud App Security detected a security risk and took action on an email message, attachment, or file. Notification threshold sets limits on messages to send. Threshold settings include: Send consolidated notifications periodically: Cloud App Security sends an email message that consolidates all the notifications for a period of time. Specify the period of time by typing a number in the box and selecting hour(s) or day(s). Send consolidated notifications by occurrences: Cloud App Security sends an email message that consolidates notifications for a set number of filtering actions. Specify the number of virus/malware occurrences by typing a number in the box. Send individual notifications: Cloud App Security sends an email message notification every time Cloud App Security performs a filtering action.
Notify User	Exchange Online and Gmail: Specify message details that notify recipients that Cloud App Security detected a security risk and took action on their email message or attachment. SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive: Specify message details that notify the user who updated a file that Cloud App Security detected a security risk and took action on their file. Salesforce: Specify message details that notify the user who updated a Salesforce object record that Cloud App Security detected a security risk and took action on the update. Teams Chat: Cloud App Security does not provide this option. When a chat message was blocked, a notification "This message was blocked." provided by Microsoft appears in the sender's private chat window. Message senders can click What can I do? to view more information about the blocked messages. Box: Optionally select the Allow the user to restore the quarantined file check box. This allows end users to restore a quarantined file violating a Data Loss Prevention policy. The email message sent to the user will contain a link. Clicking the link opens a screen where the user can view the file information, select a reason for restoration, and submit the restoration request. The link is valid only for 24 hours. The administrator can go to the Quarantine screen to query and view data about the files restored by end users and the reason for each restoration. Optionally select the Do not notify external user check box. This allows the administrator to choose not to notify an end user of policy violation details if the user violating the policy does not belong to your organization.

Option

Description

Notify administrator

Specify message details to notify administrators that Cloud App Security detected a security risk and took action on an email message, attachment, or file.

Notification threshold sets limits on messages to send. Threshold settings include:

Send consolidated notifications periodically: Cloud App Security sends an email message that consolidates all the notifications for a period of time. Specify the period of time by typing a number in the box and selecting hour(s) or day(s).
Send consolidated notifications by occurrences: Cloud App Security sends an email message that consolidates notifications for a set number of filtering actions. Specify the number of virus/malware occurrences by typing a number in the box.
Send individual notifications: Cloud App Security sends an email message notification every time Cloud App Security performs a filtering action.

Notify User

Exchange Online and Gmail: Specify message details that notify recipients that Cloud App Security detected a security risk and took action on their email message or attachment.

SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive: Specify message details that notify the user who updated a file that Cloud App Security detected a security risk and took action on their file.

Salesforce: Specify message details that notify the user who updated a Salesforce object record that Cloud App Security detected a security risk and took action on the update.

Teams Chat: Cloud App Security does not provide this option. When a chat message was blocked, a notification "This message was blocked." provided by Microsoft appears in the sender's private chat window. Message senders can click What can I do? to view more information about the blocked messages.

Box:

Optionally select the Allow the user to restore the quarantined file check box. This allows end users to restore a quarantined file violating a Data Loss Prevention policy.
- The email message sent to the user will contain a link. Clicking the link opens a screen where the user can view the file information, select a reason for restoration, and submit the restoration request. The link is valid only for 24 hours.
- The administrator can go to the Quarantine screen to query and view data about the files restored by end users and the reason for each restoration.
Optionally select the Do not notify external user check box. This allows the administrator to choose not to notify an end user of policy violation details if the user violating the policy does not belong to your organization.

Note:

When specifying a notification message, include relevant tokens and edit the message content as desired. For details about tokens, see Token List.

Click Save.