Through compliance templates and data identifiers, Data Loss Prevention policies allow companies to monitor the flow of sensitive information stored in cloud applications and services.
Define data identifiers and compliance templates for specific regulatory controls
Target specific user mailboxes, SharePoint sites, or cloud application users and groups
Data Loss Prevention is not available in the inbound protection of Exchange Online in inline mode.
This provides flexibility for you to determine how sensitive data of your organization will be handled in Data Loss Prevention logs on Cloud App Security for privacy concerns.
If the check box is not selected, Cloud App Security does not record and display violating content, including the sensitive data that triggered a Data Loss Prevention violation, in the Violating Content column in Logs.
If Display violating content in logs with sensitive data Unmasked is selected, Cloud App Security records and displays violating content in the Violating Content column in Logs. The sensitive data that triggered a Data Loss Prevention violation is displayed without being masked.
Violating content including the sensitive data to display does not exceed 300 characters.
If Display violating content in logs with sensitive data Masked is selected, Cloud App Security records and displays violating content in the Violating Content column in Logs. The sensitive data that triggered a Data Loss Prevention violation is replaced with asterisks (*), except for the last four characters.
If the sensitive data is no longer than four characters, it is displayed without being masked.
The default value is Display violating content in logs with sensitive data Unmasked.
If this setting is changed, it applies only to subsequent violating content. The previous content is not affected.
Add or remove compliance templates, then select the action.
For the actions applied to Salesforce, see the following table.
Pass |
Cloud App Security records the detection in a log and the object record content is unchanged. |
Quarantine |
|
Delete |
|
For the Microsoft Teams, SharePoint Online, and OneDrive services, the Apply sensitivity label and Remove sensitivity label actions are available in addition to Pass, Delete, and Quarantine after you provision for Microsoft Information Protection. The two new actions can be taken on files that violate the Data Loss Prevention policies during real-time and manual scanning.
For more information about each action applied to the other services and applications, see Chapter Advanced Threat Protection of the documentation.
Edit existing custom compliance templates.
Import new custom compliance templates.
When this option is selected, for a file, Cloud App Security takes the action specified here instead of the policy-level action described in step 5.
This option can be configured only when the Quarantine action is selected.
The tag cannot exceed 20 characters or contain unsupported characters (/ \ : * ? < > " |).
This option is not available for Exchange Online and Gmail.
The configuration in the Sensitivity Labeling section applies only when you specify the Apply sensitivity label action for files that violate this Data Loss Prevention policy.
The sensitivity labels are defined on the Microsoft 365 compliance center and automatically sync to Cloud App Security on a daily basis. If no sensitivity has been defined, you cannot specify the "Apply sensitivity label" action, and the policy cannot be saved.
The original sensitivity label refers to the sensitivity label that users have applied when uploading, creating, synchronizing, or modifying files in Microsoft Teams, SharePoint Online, or OneDrive.
This backup action is taken on files that violate the Data Loss Prevention policy if Cloud App Security fails to apply the specified sensitivity label to the files for reasons such as that the specified sensitivity label has been deleted on the Microsoft 365 compliance center, or that the file type is not supported.
This option is available only after you have enabled outbound protection for the current organization.
If you enable outbound protection but do not select this option, Cloud App Security checks outbound emails based on the configured Data Loss Prevention policy, but does not take any action on the emails, even when anomalies are detected.
Option | Description |
---|---|
Pass |
Cloud App Security sends back the email to Exchange Online through the TMCAS Inbound Connector without storing the email. Exchange Online then sends the email to the recipient. |
Block |
Cloud App Security discards the email immediately. |
Quarantine |
Cloud App Security quarantines the email for 30 days before discarding it. |
Option | Description |
---|---|
Notify administrator |
Specify message details to notify administrators that Cloud App Security detected a security risk and took action on an email message, attachment, or file. Notification threshold sets limits on messages to send. Threshold settings include:
|
Notify User |
Exchange Online and Gmail: Specify message details that notify recipients that Cloud App Security detected a security risk and took action on their email message or attachment. SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive: Specify message details that notify the user who updated a file that Cloud App Security detected a security risk and took action on their file. Salesforce: Specify message details that notify the user who updated a Salesforce object record that Cloud App Security detected a security risk and took action on the update. Teams Chat: Cloud App Security does not provide this option. When a chat message was blocked, a notification "This message was blocked." provided by Microsoft appears in the sender's private chat window. Message senders can click What can I do? to view more information about the blocked messages. Box:
|
When specifying a notification message, include relevant tokens and edit the message content as desired. For details about tokens, see Token List.