cancel
Showing results for 
Search instead for 
Did you mean: 

[SOLUTION] How to detect MIP labels with real-time SMTP outbound app policies

oscar
Partner
Partner

Hello everyone, thanks for reading this.

 

I'm trying to detect MIP labels with real-time SMTP outbound app policies, but I cannot make it work.

 

I found this video (Microsoft and Netskope Email MIP) where it shows a bit how MIP label ID has been set as a regex and scan type is Metadata&Content.

Unfortunatelly it does not show the rest of DLP Rule configuration.

 

I tried the same config as the video, also tried the same but adding "^.+" and ".+$" before and after the regex respectively as well.

I also tried putting the whole "MSIP_Label_{LABEL-ID}_Name" string, which can be seen opening the MIP labeled MS Office document and going to "File > Information > Properties > Advanced Properties > Custom Tab".

I set scan type as Metadata&Content, set the threshold to 1 and set apply action to severity low.

None of this worked for me.

 

I hope someone has faced this situation and found a solution.

Thanks in advance,

Òscar

1 ACCEPTED SOLUTION
oscar
Partner
Partner

Hi all, thanks for reading.

 

I just want to share how I made MIP label detection work for real-time policies.

 

The DLP Rule looks as follows:

  • Custom identifiers: MSIP_Label_{MIP label ID}_Name  ---> e.g. MSIP_Label_a1s2d3f4-a1s2-g5h6-n6n6n6n6n6n6_Name
  • Expression: C0
  • Scan Section:
    • Metadata
    • Record scanning Off
  • Severity Threshold:
    • Record
    • Unique count On
    • Trigger at Low
    • Low: 1
    • Medium: 1 ---> (I wanted this detection to be Medium)
    • High: 100
    • Critical: 1000

IMPORTANT: Add the DLP Rule to a DLP Profile with NO File Properties constraints.

 

Create a Real-time email outbound policy and use the DLP Profile there.

 

Hope this helps!!

Kind regards,

Òscar

View solution in original post

5 REPLIES 5
kh_jenn
Community Manager
Community Manager

Thank you for reaching out, @oscar! Our community team is looking into this for you and will get back to you shortly! If any community members know a solution, please feel free to respond here.

rmanley
Netskope
Netskope

@oscar - you can just see the configuration of the DLP rule in the video linked, so you'll need to configure like so:

 

  1. Create an entity with your Confidential GUID (https://docs.netskope.com/en/dlp-entity.html)
  2. Create an entity for the word Confidential
  3. Create a Rule that combines the two with an AND operator:

rmanley_0-1655901857805.png

 

4. Choose 'Metdata' for the content and leave 'Record Based Scan' unticked. 

5. Set the Severity to 1 for Low (or Medium or High) based on how critical this is

6. The configuration will then look like this:

rmanley_1-1655901971915.png

 

7. Add this rule to a DLP Profile and then add that Profile into your Email DLP policy 

 

Hope that helps!

 

RossM

 

 

 

 

 

Hello @rmanley, thanks for responding.

 

I saw you response after I posted my solution.

Nonetheless I found the solution few days ago, I wanted to share it with the community and close this thread.

 

Regarding your suggestions, just to let you know, I cannot find a "Confidential" word in the MIP-labeled docs metadata. it doesn't matter what MIP label I use. The keyword I always see there for the key "MSIP_Label_{MIP label ID}_Method" value is "Privileged". I have confirmed this it two different O365 MIP tenants.

 

Maybe Microsoft updated this value from Confidential to Privileged in some update since that tutorial was created.

 

I'm sure your solution works as well if you change Confidential by Privileged.

 

Thanks for your support!

Kind regards,

Òscar

oscar
Partner
Partner

Hi all, thanks for reading.

 

I just want to share how I made MIP label detection work for real-time policies.

 

The DLP Rule looks as follows:

  • Custom identifiers: MSIP_Label_{MIP label ID}_Name  ---> e.g. MSIP_Label_a1s2d3f4-a1s2-g5h6-n6n6n6n6n6n6_Name
  • Expression: C0
  • Scan Section:
    • Metadata
    • Record scanning Off
  • Severity Threshold:
    • Record
    • Unique count On
    • Trigger at Low
    • Low: 1
    • Medium: 1 ---> (I wanted this detection to be Medium)
    • High: 100
    • Critical: 1000

IMPORTANT: Add the DLP Rule to a DLP Profile with NO File Properties constraints.

 

Create a Real-time email outbound policy and use the DLP Profile there.

 

Hope this helps!!

Kind regards,

Òscar

Looks good, glad you got it sorted!