Learn about the Microsoft Purview Data Loss Prevention migration assistant for Symantec

This article helps you to learn about the Microsoft Purview Data Loss Prevention migration assistant for Symantec.

The migration assistant is a Windows-based desktop application that will migrate your Symantec data loss prevention (DLP) policies to Microsoft Purview Data Loss Prevention. This takes you through the five-step migration process. It accepts Symantec DLP policy XML exports, performs mapping, and creates equivalent DLP policies through PowerShell scripts. You can use the migration assistant to create DLP policies in test mode. Policies in test mode won't impact your live data or impact your existing business processes.

What can the migration assistant help with?

The migration assistant helps with some of the tasks involved in a Data Loss Prevention (DLP) migration project:

• In a manual migration scenario, you need to perform a feasibility analysis between the source and target DLP platforms, map the features, migrate policies manually, and test and tweak DLP policies. With the migration assistant, your migrated DLP policies can be up and running within minutes of starting the migration assistant process.
• With migration assistant, you can quickly scale up your migration project. You can start by moving a single policy manually to multiple policies at the same time.
• The migration assistant automatically identifies sensitive information types (SITs) or Data Identifiers in source policies and creates custom SITs in your Microsoft tenant. It also moves all of your custom regular expressions and keywords in a few clicks.
• The migration assistant detects which conditions, exclusions and actions are currently being used in source policies and automatically creates new rules with the same conditions, and actions.
• The migration assistant provides you with a detailed migration report that includes the migration status and recommendations at the policy level.
• The migration assistant ensures that your DLP policy migration project is private and takes place within the boundaries of your organization.

How does the migration assistant for Symantec work?

Here's how the migration process works:

Each time the migration assistant runs, it runs the following steps:

• Input: The migration assistant ingests one or more Symantec DLP policy XML files.
• Analyze: The migration assistant interprets the files and identifies Symantec DLP policy constructs.
• Rationalize: The migration assistant maps the identified Symantec DLP policy constructs to Microsoft DLP capabilities. It performs validations for Microsoft DLP platform limitations.
• Migrate: The migration assistant runs PowerShell scripts for the DLP scenarios identified and supported by the UDLP platform.
• Report: The migration assistant reports which policies were migrated successfully, which were partially migration, and which ones couldn't be migrated. It also provides recommendations to improve future migrations.

Understand mapping of Symantec DLP elements to Microsoft Purview DLP elements

Here's how the migration assistant translates different policy elements from Symantec DLP to Microsoft Purview DLP:

Symantec DLP supported versions

The migration assistant supports migrating DLP policies from Symantec versions 15.0 through 15.8 maintenance packs included.

Supported Workloads

The migration assistant migrates policies into these workloads.

Workload	Migration assistant support
Exchange Online (EXO)	Yes
SharePoint Online (SPO)	Yes
OneDrive for Business (ODB)	Yes
Teams chat and channel messages	Yes
Endpoint devices	Yes

Tip

You can use the migration assistant to extended to more workloads than the ones detected in the input Symantec DLP policy.

Classification Elements

Here's how the migration assistant maps Symantec elements to Purview DLP elements.

Symantec Classification Element	Microsoft Purview DLP Classification Element
Regular Expression	Create new custom sensitive information type (SIT) with the regular expression.
Keyword	Create new custom SIT with a keyword list or keyword dictionary.
Keyword Pair	Create new custom SIT with first keyword list as primary element & second keyword list as a supporting element with 300 char proximity.
Data Identifier	Map to pre-configured SIT if an equivalent is available, else create a new custom SIT.

Here are the mapping details of optional validators for sensitive information types (also known as Data Identifiers in Symantec DLP) that the migration assistant uses while translating Symantec DLP policies:

Symantec Optional Validators	Microsoft Purview DLP Optional Validators
Exclude exact match	Exclude specific matches
Exact Match Data Identifier Check	NA
Exclude beginning characters	Starts or doesn't start with characters
Exclude ending characters	Ends or doesn't end with characters
Exclude prefix	Include or Exclude prefixes
Exclude suffix	Include or Exclude prefixes
Number Delimiter	NA
Require beginning characters	Starts or doesn't start with characters
Exact Match	NA
Duplicate digits	Exclude duplicate characters
Require ending characters	Ends or doesn't end with characters
Find keywords	Available as both primary & supporting elements

Regular Expressions – Potential validation issues to be aware of

When you upload your rule package XML file, the system validates the XML and checks for known bad patterns and obvious performance issues. Here are known issues that the validation process checks a regular expression for.

• Can't begin or end with alternator "|", which matches everything because it's considered an empty match.
  • For example, "|a" or "b|" won't pass validation.
• Can't begin or end with a ".{0,m}" pattern, which has no functional purpose and only impairs performance.
  • For example, ".{0,50}ASDF" or "ASDF.{0,50}" won't pass validation.
• Can't have ".{0,m}" or ".{1,m}" in groups, and can't have ".*" or ".+" in groups.
  • For example, "(.{0,50000})" won't pass validation.
• Can't have any character with "{0,m}" or "{1,m}" repeaters in groups.
  • For example, "(a*)" won't pass validation.
• Can't begin or end with ".{1,m}"; instead, use just "."
  • For example, ".{1,m}asdf" won't pass validation; instead, use just ".asdf".
• Can't have an unbounded repeater (such as "*" or "+") on a group.
  • For example, "(xx)*" and "(xx)+" won't pass validation.

Condition and Exception Mapping

Here's how the migration assistant maps Symantec condition and exception elements for various workloads to Purview DLP conditions.

Exchange Workload

Condition/Exception in Symantec	Condition in Microsoft Purview DLP
Content Matches Regular Expression	Content contains SIT
Content Matches Keyword	Content contains SIT
Content Matches Data Identifier	Content contains SIT
Content Matches Classification	Not supported
File Properties File name File type	One or more of the following: Document name is File extension is
Message Attachment or File Type Match	One or more of the following: Attachment is password protected Attachment's file extension is
Message Attachment or File Size Match	Document size equals or is greater than
Message Attachment or File Name Match	One or more of the following: Document name contains words or phrases Document name matches patterns
Message/Email Properties and Attributes	One or more of the following: Email subject contains
Sender/User Matches Pattern	One or more of the following: Sender is Sender is a member of Sender domain is Sender address contains words Sender address matches patterns Sender IP address is
Recipient Matches Pattern	One or more of the following: Recipient is a member of Recipient domain is Recipient is Recipient address contains words Recipient address matches patterns
Sender/User based on a Directory Server Group	Not supported
Recipient based on a Directory Server Group	Not supported
Content Matches Exact Data from an Exact Data Profile (EDM)	Not supported
Content Matches Document Signature from an Indexed Document Profile (IDM)	Not supported
Detect using Vector Machine Learning profile (VML)	Not supported
Protocol Monitoring SMTP protocol	Exchange (EXO) DLP policy

Endpoint Devices, SharePoint Online, OneDrive and other workloads

Condition/Exception in Symantec	Condition in Microsoft Purview DLP
Content Matches Regular Expression	Content contains SIT
Content Matches Keyword	Content contains SIT
Content Matches Data Identifier	Content contains SIT
Message Attachment or File Type Match	Document’s file extension is
Protocol Monitoring HTTP HTTPS FTP	Cross-workload DLP policy(s)
Protocol Monitoring: Endpoint Device Type CD/DVD Removable storage Copy to network share Printer/Fax Clipboard Cloud storage Application File Access SEP Intensive Protection	One or more of the following (Devices): Copy to USB removable media Copy to network share Copy to clipboard Print Upload to cloud service domains or access by browsers that aren't allowed

Response Rules

Here's how the migration assistant maps Symantec response rules to Microsoft Purview DLP actions.

Symantec Response Rule	Microsoft Purview DLP Action
Generate DLP Incident	Generate Alert
Logging (Syslog)	Audit logs
Network Prevent: Modify SMTP Message Modify email subject Modify header	One or more of the following: Prepend subject Set headers
Network Prevent: Block SMTP Message Bounce message to sender Redirect message to this address	One or more of the following: Block / Restrict access Send user notification Redirect message to
Send Email Notification	Send User Notification
Endpoint Prevent Notify Notify with Cancel Block	One or more of the following (Endpoint Devices) Notify Block Audit
User Cancel	One or more of the following: Block / Restrict access User Overrides

Next steps

Now that you've learned about the Microsoft Purview Data Loss Prevention migration assistant for Symantec, your next steps are:

1. Get started with the Microsoft Purview Data Loss Prevention migration assistant for Symantec
2. Use the Microsoft Purview Data Loss Prevention migration assistant for Symantec