Secure AIP Labeled Files with Enterprise DLP

Create a document protected with a Microsoft AIP label.
Refer to the Microsoft Azure Information Protection documentation for detailed information.
Enable Enterprise DLP on the Cloud Management Console.
In the cloud management console, select
Manage
Configuration
Security Services
Data Loss Prevention
.
Configure a file property data pattern.
Select
Detection Methods
Data Patterns
Add Data Patterns
File Property
.
Enter a
Name
for the file property data pattern.
For the
File Property Type
, select
Custom
.
For the custom file property
Name
.
You must enter the full AIP label
Name
that you want to take action on. This can be either the
MSIP_Label_<GUID>_Enabled
label name or the
Sensitivity
label name.
For the custom file property
Value
, enter the Microsoft AIP label you want to scan for and take action on.
For example, if you want to take action on assets protected with the
Confidential
AIP label, enter
Confidential
.
(
Optional
)
Add File Property
and repeat the steps above to take the same action on multiple AIP labels using a single data pattern.
Save
.

Configure a data profile.
Before you create the data profile, consider which AIP labels you want to allow and block. If you add match criteria only to the Primary rule, you can select whether to allow or block matched traffic. If you add match criteria to both the Primary and Secondary rules, traffic that matches the Primary rule is always allowed and traffic that matches criteria the Secondary rule is always blocked.
When a data profile contains match criteria that you want to both allow and block, be aware that the sessions in which the matched traffic is inspected matters. For example,
File1
matches criteria in the Primary rule you want to allow and
File2
matches criteria in the Secondary rule you want to block. Both of these files are attached to a single email. In this scenario, the DLP cloud service blocks the email both files are attached to because
File2
has match criteria that is blocked. However, if each file is attached to separate emails or if the files are attached to the same email one at a time, the appropriate action is taken for each file.
Select
Data Profiles
and
Add Data Profile
With Data Patterns only
.
Enter a
Data Profile Name
.
For the Primary Rule,
Add Data Pattern Group
and set the confidence level as
Low
.
Search for and select the file property data pattern you created in the previous step. Repeat this step to add multiple data patterns if needed.
(
Optional
) For the Secondary rule,
Add Data Pattern Group
and set the confidence level as
Low
.
Search for and select the file property data pattern you want to block. Repeat this step to add multiple data patterns if needed.
You can add data patterns to the Primary rule and skip this step if you plan to only block matched traffic.
Save
.

Modify the DLP rule.
Select
DLP rules
and locate the data profile you created in the previous step.
The data profile and corresponding DLP rule have identical names.
Expand the Action column and
Edit
.
Select the
Action
you want to take.
If you added data patterns to both the Primary and Secondary rules, the Action is
Alert and Block
by default and cannot be modified.
Alert
applies to the Primary rule and
Block
applies to the Secondary rule.
Alert
generates a DLP incident and allows matched traffic.
Block
generates a DLP incident and blocks matched traffic.
Specify the
Log Severity
when a DLP log is generated for matched traffic.
Informational
generates an information DLP log and does not generate a DLP incident. All other log severity types generate the corresponding severity DLP log and generate a DLP incident.
Save
.

Add the Enterprise DLP data profile to a profile group.
Select
Manage
Configuration
Security Services
Profile Groups
.
Add Profile Group
or select an existing profile group.
For the Data Loss Prevention Profile, select the DLP rule you modified in the previous step.
Save
.
Add the profile group to a Security policy rule.
Select
Manage
Configuration
Security Services
Security Policy
and
Add Rule
.
Configure the Security policy rule as needed.
For the Action and Advanced Inspection:
set the Action as
Allow
.
Verify the Action is
Allow
(default).
For the Profile Group, select the profile group you added the DLP rule to in the previous step.
Save
.
In the
Prisma Access - Pre Rules
, verify that the Security policy rule is at the top of the policy rulebase to ensure traffic is not allowed or blocked before it can be inspected.
Push Config
.
Verify that the Enterprise DLP successfully detects and takes action on the assets protected by AIP labels you specified in your Enterprise DLP configuration.
You can use sites such as DLP ToolBox and DLP Test to verify.
Refer to the Enterprise DLP Administrator's Guide for more information on supported applications.