DLP DIM policy block upload to external O365
search cancel

DLP DIM policy block upload to external O365

book

Article ID: 280073

calendar_today

Updated On:

Products

CASB Gateway CASB Gateway Advanced CASB Security Advanced CASB Security Premium CASB Security Standard

Issue/Introduction

CloudSOC administrator can use the Tenant restrictions using the header insertion policy in Cloudsoc to block users from accessing external Office 365 accounts. In some cases, the company still wants the user to access external accounts but also wants to control what information the user can upload. This is when the administrator can leverage the DLP DIM policy to trigger content inspection and block the upload if the content matches the policy rules.

Environment

Customers need to have a CloudSOC tenant with the Enforce-managed Data Loss Prevention configured:

Resolution

  1. Create a new policy in Enforce:
  1. Click Add Exception and the Contextual Attribute rule type:
  2. In the condition, choose Client Tenant Domain. In the Match field, enter the company-owned domain value (You can capture this value from existing DLP incidents)
  3. Then add a Rule that scans sensitive information and selects the Policy Group. In the example below a simple keyword rule is selected:
  4. Create a new Office 365 Gatelet application detection if you do not have one in Manage, Application Detection, then Configuration. You can use Selective for Applications, then manually pick the full or custom gatelets you have created for Office 365 domains. Note that you can also use "Any" for the applications, but some Gatelets do not support the client domain contextual attribute, thus the policy may not work for all Gatelets. 
  5. Make sure that you have select the policy group that contains the Client Domain Exception policy and selected the Rest Detector:
     
  6.  When the user tries to upload file to external Office 365 account, they will get the pop-up message and the upload is blocked
  7. In the Incidents, Applications, Data-in-motion, it is possible that you see multiple policies triggered for the same policy:
  8. In the incident details, you can see the Client Tenant User ID and the Client Tenant Domain do not match the domain from the User Name/User ID filed.

Powered by Wolken Software