Introduction
Welcome back to my series on Exact Data Match (EDM) classifiers in Microsoft Purview! If you’ve made it to Part 3, congratulations - you’re officially an EDM enthusiast, and possibly a glutton for technical punishment. In Part 1, we dove into the basics of EDM classifiers, and why they’re such a game-changer compared to traditional sensitive information types (SITs). In Part 2, I took you step-by-step through setting up an EDM classifier. Now, in this final part, we’re going to test those classifiers, explore how to use EDM in Data Loss Prevention (DLP) and Insider Risk Management (IRM) policies, and hopefully, save you from a data breach or two.
Grab your coffee. Let’s get into it!
Table of contents
1.Key Advantages of Using EDM Classifiers
Before we dive into the policies, let’s give EDM classifiers one more round of applause for their greatness. Here’s why they’re the unsung heroes of sensitive data management:
Reduced False Positive Rate: If you’ve ever spent hours combing through alerts for data that wasn’t actually sensitive (I see you, every IT admin ever), you’ll appreciate this one. EDM classifiers only flag exact matches, so you can finally kiss those false positives goodbye.
Enhanced Security and Privacy: EDM classifiers use hashed datasets, which is tech-speak for “no one gets to see your actual sensitive data during classification.” Basically, it’s like wearing a suit of armour while protecting a treasure chest full of confidential records. Safe and stylish.
Simplified Compliance: Meeting regulatory requirements isn’t optional (unless you enjoy paying hefty fines, in which case, you do you). EDM classifiers ensure you meet data protection standards without sweating over misclassification mistakes.
2.Scenario Example: Protecting Employee, Client, and Patient Records
Let’s take a moment to visualise this: Imagine your company is a big-time law firm, healthcare provider, or corporate juggernaut that stores tons of sensitive data - everything from employee records to patient health info to client contact details. EDM classifiers swoop in like a digital superhero, detecting only the exact sensitive information types you specify (e.g., employee IDs or patient records).
With DLP policies in Microsoft 365 and Microsoft Purview, you can block unauthorised access to this data faster than your colleague can click “Reply All” on a confidential email thread (a truly terrifying scenario). Now, let’s get into how to test and deploy these policies.
3.Testing an ExactMatch SIT
Testing an Exact Data Match (EDM) before using it in a Data Loss Prevention (DLP) or Insider Risk Management (IRM) policy is crucial for several reasons:
Ensure accuracy of the matching process
- avoid false positives/negatives
- data formatting validation
Custom tuning
- tuning thresholds/ confidence levels/ adding supporting elements
- identify edge cases.
In order to test your SIT, navigate over to the Purview portal: purview.microsoft.com >Solutions> Information Protection> Classifiers > Sensitive info types> Look for your ExactMatch SIT and click into its name.
↓
Select test and upload a single test file.
↓
↓
↓ As you can see my EDM SIT got a match but also my custom SIT got a match, as I intended.
Note: It is important that you test it with multiple different files to ensure you are getting accurate matches before you utilise your EDM classifiers within any Purview solution.
4.Using EDM in Data Loss Prevention (DLP)
First off, what exactly is Data Loss Prevention? Think of it as the friendly neighbourhood bouncer for your sensitive information - it prevents unauthorised sharing of sensitive data, like client or employee records, with the wrong people or platforms.
In today’s example, I’ll show you how to stop your users from uploading client data to cloud services like it's the Wild West. We’re going to scope this policy to endpoints, because that’s where the magic (or data leaks) usually happens.
Things you’ll need before creating your DLP policy:
Licensing: The fun part - make sure you’ve got the right level of Microsoft licensing. Sorry, no loopholes here.
Permissions: You’ll need the right permissions assigned. If you’re not sure, ask your friendly neighbourhood admin.
Endpoint Onboarding: Make sure your users’ devices are onboarded to Microsoft Purview. If not, well, that’s a different rabbit hole for another day.
Note: Endpoint DLP uses the same agent as Microsoft Defender for Endpoint (MDE), but recently, it started utilising a separate service - so while it’s the same agent, it’s now a distinct service. If you’re using Microsoft Defender for Endpoint as your anti-malware solution, whether in active or passive mode, as long as your devices are onboarded to MDE, you just need to verify that device onboarding is enabled in the settings without needing any additional actions. However, if you use a third-party antivirus solution, you’ll need to onboard your devices to MDE in passive mode.
Browser Extensions: If your company’s using any other browser than Edge, like Chrome or Firefox, deploy the Microsoft Purview web extensions via Intune or your central management tool of choice.
Service Domain Block List: Add the services you want to block within the Endpoint DLP settings - because no one’s sharing confidential data with their personal Dropbox on your watch.
Once you’re ready to roll, here’s the quick-and-dirty of setting up your DLP policy:
Head over to purview.microsoft.com > Solutions > Data Loss Prevention > Policies > Create a Policy
Create a custom policy from scratch (because we like to live dangerously) and move through the setup screens like a pro.
Name your policy (creativity optional), and keep your naming conventions clear - no duplicates allowed!
Note: When deploying DLP policies, ensure your naming conventions are well-organised and planned out, as the Purview portal doesn’t allow duplicate policy or rule names within DLP policies.
Now, click "Next" to proceed.
I don't want to scope it to any specific admin units so I'm going to ignore this step and click next.
Select Devices for the location scope, and target all users (because everyone’s a suspect).
We need to create or customise advanced DLP rules ourselves because during step 1, we chose to create a custom policy that was not based on any templates.
↓
Name your rule and set up your conditions to detect sensitive information types, specifically the exact match SIT you configured in Part 2.
Under conditions, select 'Add condition' > Content contains > Sensitive info types & look for your EDM based SIT. I'm also adding my custom SIT that I'd created before my EDM classifer, as I really want to narrow down the amount of data that this policy will be matching.
↓
↓
I am changing the group operation from 'any of these' to 'All of these' as all of my client documents contain Client IDs which are based on a pattern represented by a regular expression within my "Demo-ClientIDs" SIT and I want to minimise the amount of DLP matches and avoid any false positives.
↓
Next, we need to add our actions. In other words, what is supposed to happen once DLP finds a match. Options are: 1- audit, 2- block with override, 3-block.
I'm going to configure the block option for uploading data to blocked service domains that I've configured within endpoint DLP settings and audit the rest of activities on devices.
↓
↓
I'm also going to configure and customise my policy tips.
Next I want to make sure I've got some notifications and reports in place so my admins can do investigations once alerts are being generated. Once all that is good to go, I click Save and Next.
I'm going to go into a full enforcement mode to lock it all down by selecting "Turn the policy on immediately".
↓
This is it. Our DLP policy is now created.
Note: When configuring DLP policies or any other Purview solution in a production environment, I highly recommend following the "crawl-walk-run" approach. Start with an audit-only mode, gradually transition to "block with override," and eventually move to full enforcement. This phased approach allows you to fine-tune your policies based on logs or user feedback. Baby steps, folks.
5.Using EDM in Insider Risk Management (IRM)
So, what is Insider Risk Management? It’s like having a private detective who’s keeping tabs on your employees (in the least creepy way possible). IRM policies monitor risky behaviour - like employees trying to sneak off with sensitive data on their way out the door.
Today, we’re going to set up a policy to catch users who download client files from SharePoint or, even sneakier, downgrade a label on a sensitive document before trying to exfiltrate it. Trust no one, not even Susan from Accounting.
Things you’ll need before creating your DLP policy
Similar to the requirements for DLP and also depending on which policy template you are going to use in IRM, make sure you've got these prerequisites covered:
Licensing
Permissions
Devices onboarded to Microsoft Purview (optional)
Purview browser extension deployed to users using Google Chrome, Firefox, etc.
Here’s how to create your IRM policy:
Go to purview.microsoft.com > Solutions > Insider Risk Management > Policies > Create a Policy.
I'm going to set up a policy based on the data leaks template.
Name your policy something like “Stop Data Thieves” (or, you know, something more official).
I want to target all of my users, groups and adaptive scopes and have no exclusions.
↓
Prioritise your content by selecting Sensitive Information Types (exact match SITs, naturally).
↓
↓
↓
I only want my policy to focus on the data I need to prioritise (my EDM SIT), thefore I am going to select the "Get alerts only for activity that includes priority content".
Choose the "User performs an exfiltration activity" as your triggering event and configure exfiltration activities (i.e., downloading files or trying to sneak them past security). I am only selecting the ones I want to be flagged.
↓
Set thresholds, sequence detection, and tweak the alerts settings to keep tabs on these risky actions.
The amount of indicators that you can see on this page depends on the indicators that you enable within the Insider Risk settings (purview.microsoft.com > Settings > Insider Risk Management > Policy indicators)
↓
↓
↓
Once I review everything on this page and confirm all looks okay, I can click Submit.
On the final page of the IRM wizard, I get to decide what types of emails I want to receive: - when a new policy generates its first alert - when new high sensitivity alerts are generated - weekly email summarising policies that have unresolved warnings
Select the options that suit and click 'Done'.
Well done, you've now successfully created an Insider Risk Management policy.
6.Conclusion
And there you have it! In this 3-part series, we’ve journeyed through the world of EDM classifiers - understanding their benefits, setting them up, and now, testing them out in DLP and Insider Risk Management policies. Not only do EDM classifiers help you identify exact matches for sensitive data, but they also reduce false positives and make your life a whole lot easier when it comes to compliance.
Thanks for following along, and may your sensitive data always be safe and sound - protected from insiders, outsiders, and everything in between.
You are reading "Understanding Exact Data Match (EDM) Classifier in Microsoft Purview - part 3"
Comments