Share via

Theory questions on DLP rules

Mikhail Firsov 1,876 Reputation points
2022-04-18T14:44:54.36+00:00

Hello!

The DLP policy created based on some built-in template contains the following (among others) rules:
193951-00.png

These two rules are exactly the same and differs only in policy tips and audit mode:
193952-01.png

Q1: What parameter will define which rule to be fired - "low" or "high"?

Q2: What log will contain the auditing information ("Audit this rule with severity level:")

Thank you in advance,
Michael

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,503 questions
0 comments
Accepted answer
  1. Andy David - MVP 145.6K Reputation points MVP
    2022-04-18T15:07:26.887+00:00

    Q1. Click on the Type in the rule to view: or change the count ( The low or high volume)

    ![![193916-image.png]1]1

    Q2: That actually refers to message tracking, High auditing means the transport rules fired will show up in message tracking.

    https://learn.microsoft.com/en-us/archive/blogs/eopfieldnotes/auditing-transport-rules

    I recall this only works in Exchange Online.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mikhail Firsov 1,876 Reputation points
    2022-04-19T06:36:03.427+00:00

    AndyDavid, thank you!

    Q2: It's looks weird to me that this feature is not working as expected - it sometimes does log the corresponding information and sometimes does not (on premises) :(

    Regards,
    Michael

    0 comments