Netskope Community
10-18-2022 06:41 PM
I was looking through the DLP profiles and did not find any support for triggering on Microsoft Purview Information Protection (formerly Azure Information Protection / MIP / AIP ) sensitivity labels for real-time protection policies. My goal is to coach/block users from uploading documents with certain labels to unapproved cloud storage.
I can extract the labels from the office documents metadata, but there doesn't seem to be a way for Netskope to detect the labels even with custom dictionaries or EDM. Has anyone gotten sensitivity label detection working in real-time protection DLP policies?
Solved! Go to Solution.
10-20-2022 11:25 AM
In previous versions of "Compliance Center" you could simply put the friendly name of the label in your DLP entity. I'm not sure when this changed -- likely with the rebrand to Purview -- MS no longer writes the friendly name to the metadata. Instead, they write the GUID. Take this GUID and create a case insensitive entity as follows:
MSIP_Label_GUID_Enabled
Use this entity in your Rule, assign the Rule to a custom Profile, and use the Profile in your Policy.
10-20-2022 11:25 AM
In previous versions of "Compliance Center" you could simply put the friendly name of the label in your DLP entity. I'm not sure when this changed -- likely with the rebrand to Purview -- MS no longer writes the friendly name to the metadata. Instead, they write the GUID. Take this GUID and create a case insensitive entity as follows:
MSIP_Label_GUID_Enabled
Use this entity in your Rule, assign the Rule to a custom Profile, and use the Profile in your Policy.
10-27-2022 12:23 PM
to add on to this, the DLP engine should be looking for the data in the headers, not the body of the file.
Further info for others on this path. In your Purview tenant ( https://compliance.microsoft.com ) you MAY be able to see the GUID for each Purview label, but its not a given. If you cant see the data in the GUI, you can extract the GUID via Powershell but you will need to install the PowerShell commandlets for the compliance dashboard. Here are the docs on how to connect: Connect to Security & Compliance PowerShell | Microsoft Learn
Alternatively you can set a label on a file (word, excel, powerpoint, etc), change the extension to .zip and then search for the text "MSIP_Label_" in the folder. You will then have the guid. Set the lable on the file to the other label types you want to target and perform the same zip -> search action to find the other GUID's. It's tedious mut maybe less so than PowerShell online which can be very fiddly.
10-27-2022 11:19 AM
Hi @BrianThomas , Hope you're doing well. If @ryans answers helps you on what you're looking. Please feel free to click the comment "Accept as Solution". 🙂
10-27-2022 12:23 PM
@Rohit_Bhaskar , I've flagged it as accepted. thanks to @ryans for being the good citizen and following up with the details.
10-27-2022 11:23 AM
@Rohit_Bhaskar - I've been working with Brian and in all fairness, he did most of the work here, I just validated it a few more times 🙂
In order to view this content, you will need to sign in to your account. Simply click the "Sign In" button below
Sign In