Advanced data governance / Data governance / Office365

Custom sensitive information types

Posted by

Adding custom sensitive information types just got a whole lot easier. Just use the Security & Compliance center.
Sometime ago I did a short presentation on advanced data governance. Part of the presentation was about adding new sensitive information types. As you might know, you are not restricted by the information types provided by Microsoft. But adding your own types involved a lot of work.

First of all, you needed to understand the workings of a sensitive information type. Well, this hasn’t changed. You need to know stuff like regular expressions, proximity, confidence levels and the like.

XML file

Then you can create a specific XML file, which contains specifics of the information type. The XML would contain a rule package, entity, patterns, regular expressions and much more. In the end – this would become a very complex file.

XML

 

XML2

When the XML file was completed and correct, you needed PowerShell to import it into the Office 365 environment. PowerShell was also used to update the information type.

Security and compliance center

I was delighted to see that Microsoft has now added a GUI for adding these sensitive information types. Like I mentioned before, you still need to understand the basics of these information types, but creating one is much simpler.

You can add an information type from the Classifications section. Go to New sensitive information type. Choose a name and description.

sens_info_1

In the next screen you’ll add the specifics. Let’s say we need to find content which contains information on the badge or employee number of the organisation. This employee number has a specific layout. For example: 425 555-0100 (yep, just like the US phone-numbers).

In this example I’m adding three keywords to the information type. But I also want to filter on the employee number as-well, so I add a regular expression for this.

sens_info_2

By the way. A regular expression works like this.

425(\s|.)\d\d\d(-|.)\d\d\d\d

\s = white space
| = OR
\d =number

This results in 425 555-0100 or 425.555.0100 (for example).

 

Testing

You might want to know if your information type works. And this is possible. After creating the information type, Office 365 asks you to test it out. You can do this by creating a txt-file and uploading it to the portal. I’ve tested mine, of-course.

sens_info_3

Txt-file created here.

test

Just upload it. Easy….

test2

And…. results! The information type detects my content.

test3

So now I can use this information type to automatically detect sensitive information.

Just to check, I opened the list of all information types.

result

Nice!

In the end

Sensitive types and the automatic detecting and labeling of content is very powerful. With this addition, the creation of custom sensitive information types has become much and much easier. If you want more information on these types, then this can be found here: https://go.microsoft.com/fwlink/?linkid=2006348

4 comments

  1. Hey Albert,

    thanks for your great tutorial. I had success to copy it to my environment but at the following point im struggling at the moment.

    I would like to use my custom sensitive info type in a “auto-labeling policy” in the compliance center / Information Protection / Auto-labeling. I’m getting threw the Steps (Info of label, Name, Locations) but an the step “Policy Rules” i’m stuck. Here i supposed to see my “custom sensitive info type”, but i only see the “built-in” sensitive info types. I already checked, that i tested my custom sensitive info type and hit the button “finish” after successfull testing.

    Am i missing something? Is there an “release button” or something like that?

    Greetings from Germany,
    Florian

    Reply

    1. Hi there Florian,

      This is weird. I’ve tested it myself just now. Created a new sensitive information type and used this in the auto-labeling and auto-classification for Office apps functions. It appeared directly. Perhaps you can check if the information type is correctly added by using PowerShell?

      Get-DlpSensitiveInformationType -Identity “”

      If this doesn’t display the type, then you need to add it again.
      But, it should work directly.

      Reply

  2. HI,

    Great article. I’m trying to setup custom Sensitive info type where regex should catch emails, like match if there are abc@microsoft.com etc. The problem is that it gives me an processor error when i’m trying to put this regex in pattern ^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$

    As per regex101.com it works fine.
    Should it be different formatted ?

    Thanks

    Reply

    1. Hi John,

      Sorry about the late reaction. And perhaps you’ve already found the answer.
      You are right, this Regex does work at regex101.com. But I get the same errors when testing this out.
      This RegEx does work however and it detects email addresses:

      [A-z,0-9]{1,}\@[A-z,0-9,\.]{1,}

      Hope this helps.

      Al

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s