Configuring policy to look for Azure Information Protection classification label

book

Article ID: 184645

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Network Prevent for Email Data Loss Prevention Network Discover Data Loss Prevention Network Prevent for Web Data Loss Prevention Endpoint Discover

Issue/Introduction

Best practice on configuring DLP to trigger incidents for documents with Azure Information Protection (AIP) classification label(s) applied.

Resolution

AIP classification labels have IDs and names.

For example. label: MSIP_Label_XXXXXXXX-YYYY-ZZZZ-KKKK-UUUUUUUUUUUU_Name=Business Critical;
XXXXXXXX-YYYY-ZZZZ-KKKK-UUUUUUUUUUUU (X,Y,Z,K and U - are either numbers or Latin letters) is label ID,  Business Critical is presented classification name.


Keyword policy defined to search just for the classification name Business Critical may cause a lot of false positives as these words may be detected not only in metadata which is not a goal when looking for files with AIP labels applied.

If you define keyword rule using Name=Business Critical - it may not be detected for word/excel files because labels in MS Office files' metadata is defined using different template:

Name : Business Critical

 

The best option will be keyword rule with proximity match:



but it needs a review of a few test incidents to define proper maximum word distance ( less is better).

Another solution (but may have more false positives than first one ) to cover this type of data is to use label ID ( XXXXXXXX-YYYY-ZZZZ-KKKK-UUUUUUUUUUUU) as a keyword rule together (via "and" condition) with Business Critical as another keyword rule:


 

Attachments