Configure policies in Microsoft Defender for Cloud Apps

  • 7 minutes

Microsoft Defender for Cloud Apps built-in DLP engine performs content inspection by extracting text from all common file types (100+) including Office, Open Office, compressed files, various rich text formats, XML, HTML, and more.

The engine combines three aspects under each policy:

  • Content scan based on preset templates or custom expressions.

  • Context filters including user roles, file metadata, sharing level, organizational group integration, collaboration context, and additional customizable attributes.

  • Automated actions for governance and remediation.

Once enabled, the policy continuously scans your cloud environment and identifies files that match the content and context filters and applies the requested automated actions. These policies detect and remediate any violations for at-rest information or when new content is created. Policies can be monitored using real-time alerts or using console-generated reports.

The other option is to use the Data Classification Service that is also employed by the DLP policies configured in the Microsoft Purview compliance portal. You can use this option to have a uniform experience across all your configured DLP policies.

Creating a new file policy

To create a file policy, follow this procedure:

  1. In the Microsoft Defender for Cloud Apps portal at https://portal.cloudappsecurity.com, select Control followed by Policies.
  2. Select + Create policy and select File policy.
  3. Give your policy a name and description, if you want you can base it on a template.
  4. Give your policy a Policy severity. If you have set Defender for Cloud Apps to send you notifications on policy matches for a specific policy severity level, this level is used to determine whether the policy's matches trigger a notification.
  5. Within Category, link the policy to the most appropriate risk type. This field is informative only and helps you search for specific policies and alerts later, based on risk type. The risk may already be preselected according to the category for which you chose to create the policy. By default, File policies are set to DLP.
  6. Create a filter for the files this policy will act on to set which discovered apps trigger this policy. Narrow down the policy filters until you reach an accurate set of files you wish to act upon. Be as restrictive as possible to avoid false positives. For example, if you wish to remove public permissions, remember to add the Public filter, if you wish to remove an external user, use the External filter etc.
  7. Under the Apply to filter, select all files excluding selected folders or selected folders for Box, SharePoint, Dropbox, OneDrive, where you can enforce your file policy over all files on the app or on specific folders. You're redirected to sign-in to the cloud app, and then add the relevant folders.
  8. Under the Select user groups filter, select either all file owners, file owners from selected user groups or all file owners excluding selected groups. Then select the relevant user groups to determine which users and groups should be included in the policy.
  9. Select the content Inspection method. You can select either Built-in DLP or Data Classification Services.
  10. Choose the Governance actions you want Defender for Cloud Apps to take when a match is detected and select Create.

Once you've created your policy, you can view it in the Information protection tab. You can edit a policy, calibrate its filters, or change the automated actions.

The policy is automatically enabled upon creation and starts scanning your cloud files immediately. Take extra care when you set governance actions, they could lead to irreversible loss of access permissions to your files.

It's recommended to narrow down the filters to exactly represent the files that you wish to act upon, using multiple search fields. The narrower the filters, the better. For guidance, you can use the Edit and preview results button in the Filters section.

Note

The Inspection method supports several built-in sensitive information types and custom expressions that can be substrings, exact string matches, and regular expressions, which are the most powerful method to find the targeted information. Creating and maintaining the correct regular expressions is a recurring task and more information can be found in the resource section of this module.

File policy matches

If you want to view all files suspected to violate a policy, follow these steps:

  1. Select Control and then Policies.
  2. Search the respective File Policy you want to view.
  3. Select the three vertical dots () on the right-side of the policy and select View all matches.
  4. You'll see a list of files currently recognized by the file policy to match the selected filters. You can use this view to see the impact your policy has before you change it to apply any Governance actions.