Edit

Learn about the Microsoft Purview Data Loss Prevention migration assistant for Symantec

  • Article
  • 7 minutes to read

This article helps you to learn about the Microsoft Purview Data Loss Prevention migration assistant for Symantec.

The migration assistant is a Windows-based desktop application that will migrate your Symantec data loss prevention (DLP) policies to Microsoft Purview Data Loss Prevention. This takes you through the five-step migration process. It accepts Symantec DLP policy XML exports, performs mapping, and creates equivalent DLP policies through PowerShell scripts. You can use the migration assistant to create DLP policies in test mode. Policies in test mode won't impact your live data or impact your existing business processes.

What can the migration assistant help with?

The migration assistant helps with some of the tasks involved in a Data Loss Prevention (DLP) migration project:

  • In a manual migration scenario, you need to perform a feasibility analysis between the source and target DLP platforms, map the features, migrate policies manually, and test and tweak DLP policies. With the migration assistant, your migrated DLP policies can be up and running within minutes of starting the migration assistant process.
  • With migration assistant, you can quickly scale up your migration project. You can start by moving a single policy manually to multiple policies at the same time.
  • The migration assistant automatically identifies sensitive information types (SITs) or Data Identifiers in source policies and creates custom SITs in your Microsoft tenant. It also moves all of your custom regular expressions and keywords in a few clicks.
  • The migration assistant detects which conditions, exclusions and actions are currently being used in source policies and automatically creates new rules with the same conditions, and actions.
  • The migration assistant provides you with a detailed migration report that includes the migration status and recommendations at the policy level.
  • The migration assistant ensures that your DLP policy migration project is private and takes place within the boundaries of your organization.

How does the migration assistant for Symantec work?

Here's how the migration process works:

Process diagram of Microsoft Purview Data Loss Prevention migration assistant for Symantec.

Each time the migration assistant runs, it runs the following steps:

  • Input: The migration assistant ingests one or more Symantec DLP policy XML files.
  • Analyze: The migration assistant interprets the files and identifies Symantec DLP policy constructs.
  • Rationalize: The migration assistant maps the identified Symantec DLP policy constructs to Microsoft DLP capabilities. It performs validations for Microsoft DLP platform limitations.
  • Migrate: The migration assistant runs PowerShell scripts for the DLP scenarios identified and supported by the UDLP platform.
  • Report: The migration assistant reports which policies were migrated successfully, which were partially migration, and which ones couldn't be migrated. It also provides recommendations to improve future migrations.

Understand mapping of Symantec DLP elements to Microsoft Purview DLP elements

Here's how the migration assistant translates different policy elements from Symantec DLP to Microsoft Purview DLP:

Symantec DLP supported versions

The migration assistant supports migrating DLP policies from Symantec versions 15.0 through 15.8 maintenance packs included.

Supported Workloads

The migration assistant migrates policies into these workloads.

Workload Migration assistant support
Exchange Online (EXO) Yes
SharePoint Online (SPO) Yes
OneDrive for Business (ODB) Yes
Teams chat and channel messages Yes
Endpoint devices Yes

Tip

You can use the migration assistant to extended to more workloads than the ones detected in the input Symantec DLP policy.

Classification Elements

Here's how the migration assistant maps Symantec elements to Purview DLP elements.

Symantec Classification Element Microsoft Purview DLP Classification Element
Regular Expression Create new custom sensitive information type (SIT) with the regular expression.
Keyword Create new custom SIT with a keyword list or keyword dictionary.
Keyword Pair Create new custom SIT with first keyword list as primary element & second keyword list as a supporting element with 300 char proximity.
Data Identifier Map to pre-configured SIT if an equivalent is available, else create a new custom SIT.

Here are the mapping details of optional validators for sensitive information types (also known as Data Identifiers in Symantec DLP) that the migration assistant uses while translating Symantec DLP policies:

Symantec Optional Validators Microsoft Purview DLP Optional Validators
Exclude exact match Exclude specific matches
Exact Match Data Identifier Check NA
Exclude beginning characters Starts or doesn't start with characters
Exclude ending characters Ends or doesn't end with characters
Exclude prefix Include or Exclude prefixes
Exclude suffix Include or Exclude prefixes
Number Delimiter NA
Require beginning characters Starts or doesn't start with characters
Exact Match NA
Duplicate digits Exclude duplicate characters
Require ending characters Ends or doesn't end with characters
Find keywords Available as both primary & supporting elements

Regular Expressions – Potential validation issues to be aware of

When you upload your rule package XML file, the system validates the XML and checks for known bad patterns and obvious performance issues. Here are known issues that the validation process checks a regular expression for.

  • Can't begin or end with alternator "|", which matches everything because it's considered an empty match.
    • For example, "|a" or "b|" won't pass validation.
  • Can't begin or end with a ".{0,m}" pattern, which has no functional purpose and only impairs performance.
    • For example, ".{0,50}ASDF" or "ASDF.{0,50}" won't pass validation.
  • Can't have ".{0,m}" or ".{1,m}" in groups, and can't have ".*" or ".+" in groups.
    • For example, "(.{0,50000})" won't pass validation.
  • Can't have any character with "{0,m}" or "{1,m}" repeaters in groups.
    • For example, "(a*)" won't pass validation.
  • Can't begin or end with ".{1,m}"; instead, use just "."
    • For example, ".{1,m}asdf" won't pass validation; instead, use just ".asdf".
  • Can't have an unbounded repeater (such as "*" or "+") on a group.
    • For example, "(xx)*" and "(xx)+" won't pass validation.

Condition and Exception Mapping

Here's how the migration assistant maps Symantec condition and exception elements for various workloads to Purview DLP conditions.

Exchange Workload

Condition/Exception in Symantec Condition in Microsoft Purview DLP
Content Matches Regular Expression Content contains SIT
Content Matches Keyword Content contains SIT
Content Matches Data Identifier Content contains SIT
Content Matches Classification Not supported
File Properties
  • File name
  • File type
    		•  One or more of the following:
  • Document name is
  • File extension is
    		•
    Message Attachment or File Type Match One or more of the following:
  • Attachment is password protected
  • Attachment's file extension is
    		•
    Message Attachment or File Size Match Document size equals or is greater than
    Message Attachment or File Name Match One or more of the following:
  • Document name contains words or phrases
  • Document name matches patterns
    		•
    Message/Email Properties and Attributes One or more of the following:
  • Email subject contains
    		•
    Sender/User Matches Pattern One or more of the following:
  • Sender is
  • Sender is a member of
  • Sender domain is
  • Sender address contains words
  • Sender address matches patterns
  • Sender IP address is
    		•
    Recipient Matches Pattern One or more of the following:
  • Recipient is a member of
  • Recipient domain is
  • Recipient is
  • Recipient address contains words
  • Recipient address matches patterns
    		•
    Sender/User based on a Directory Server Group Not supported
    Recipient based on a Directory Server Group Not supported
    Content Matches Exact Data from an Exact Data Profile (EDM) Not supported
    Content Matches Document Signature from an Indexed Document Profile (IDM) Not supported
    Detect using Vector Machine Learning profile (VML) Not supported
    Protocol Monitoring
  • SMTP protocol
    		•  Exchange (EXO) DLP policy

    Endpoint Devices, SharePoint Online, OneDrive and other workloads

    Condition/Exception in Symantec Condition in Microsoft Purview DLP
    Content Matches Regular Expression Content contains SIT
    Content Matches Keyword Content contains SIT
    Content Matches Data Identifier Content contains SIT
    Message Attachment or File Type Match Document’s file extension is
    Protocol Monitoring
  • HTTP
  • HTTPS
  • FTP
    		•  Cross-workload DLP policy(s)
    Protocol Monitoring: Endpoint Device Type
  • CD/DVD
  • Removable storage
  • Copy to network share
  • Printer/Fax
  • Clipboard
  • Cloud storage
  • Application File Access
  • SEP Intensive Protection
    		•  One or more of the following (Devices):
  • Copy to USB removable media
  • Copy to network share
  • Copy to clipboard
  • Print
  • Upload to cloud service domains or access by browsers that aren't allowed
    		•

    Response Rules

    Here's how the migration assistant maps Symantec response rules to Microsoft Purview DLP actions.

    Symantec Response Rule Microsoft Purview DLP Action
    Generate DLP Incident Generate Alert
    Logging (Syslog) Audit logs
    Network Prevent: Modify SMTP Message
  • Modify email subject
  • Modify header
    		•  One or more of the following:
  • Prepend subject
  • Set headers
    		•
    Network Prevent: Block SMTP Message
  • Bounce message to sender
  • Redirect message to this address
    		•  One or more of the following:
  • Block / Restrict access
  • Send user notification
  • Redirect message to
    		•
    Send Email Notification Send User Notification
    Endpoint Prevent
  • Notify
  • Notify with Cancel
  • Block
    		•  One or more of the following (Endpoint Devices)
  • Notify
  • Block
  • Audit
    		•
    User Cancel One or more of the following:
  • Block / Restrict access
  • User Overrides
    		•

    Next steps

    Now that you've learned about the Microsoft Purview Data Loss Prevention migration assistant for Symantec, your next steps are:

    1. Get started with the Microsoft Purview Data Loss Prevention migration assistant for Symantec
    2. Use the Microsoft Purview Data Loss Prevention migration assistant for Symantec