Best practice on configuring DLP to trigger incidents for documents with Azure Information Protection (AIP) classification label(s) applied.

AIP classification labels have IDs and names.

For example. label: MSIP_Label_XXXXXXXX-YYYY-ZZZZ-KKKK-UUUUUUUUUUUU_Name=Business Critical;
XXXXXXXX-YYYY-ZZZZ-KKKK-UUUUUUUUUUUU (X,Y,Z,K and U - are either numbers or Latin letters) is label ID,  Business Critical is presented classification name.

Keyword policy defined to search just for the classification name Business Critical may cause a lot of false positives as these words may be detected not only in metadata which is not a goal when looking for files with AIP labels applied.

If you define keyword rule using Name=Business Critical - it may not be detected for word/excel files because labels in MS Office files' metadata is defined using different template:

Name : Business Critical

The best option will be keyword rule with proximity match:



but it needs a review of a few test incidents to define proper maximum word distance ( less is better).

Another solution (but may have more false positives than first one ) to cover this type of data is to use label ID ( XXXXXXXX-YYYY-ZZZZ-KKKK-UUUUUUUUUUUU) as a keyword rule together (via "and" condition) with Business Critical as another keyword rule: