Data Loss Prevention

 View Only
Back to discussions
Expand all | Collapse all

DLP Exchange Scan issue with the URL showed on the Incident Details page.

  • 1.  DLP Exchange Scan issue with the URL showed on the Incident Details page.

    Posted Jun 15, 2017 05:39 PM

    Hi Team

    This is our situation:

    DLP version 14.5 MP1 and  is scanning and finding incident on an Exchange 2010.

    It's necessary for a second level responder to locate the Exchange item that triggered the policy for further actions ( provide feedback to the user, move the email to a another mailbox, etc), this was requested by a specific Audit.

    Once the incident is logged and the Responder is able to run the report for the Network Discover events it's possible to verify the Exchange incident but there's a problem,  based on the DLP 14.5 Administration Guide, page 1208, on the Incident Details section there's a feature called [URL(open in browswer)] but the documentation only states the following "For SharePoint, this URL is the item on the SharePoint server. Click this URL to go to the item on the SharePoint server"

    Problem Number 1:  It´s not clear if this applies also for MS Exchange.

    I assumed that the URL contains the OWA to the email that triggered the incident but it seems to require the credentials from the original owner in order to allow access to the document.
    Questions:

    1.Is this the only way to see it? for example why do an Exchange user with reviewing rights cannot have access? In the case of Sharepoint is not necessary to be the owner.

    2. Is there a way to show the message ID on the Incident details?

     

    Best Regards,

     

     

     

     

     

     

     



  • 2.  RE: DLP Exchange Scan issue with the URL showed on the Incident Details page.

    Trusted Advisor
    Posted Jun 15, 2017 06:54 PM

    Orionx,

    With Exchange, I do not think it will show you a URL.

    It will ONLY show you that a message has a specific violation and the users mailbox. 

    Best bet is to try it on your own mailbox and see!

    In order to even see the messsage you will need to be a FULL admin to the persons mailbox to scan it (impersonate accounts).

    http://msdn.microsoft.com/en-us/library/bb204095%28v=exchg.80%29.aspx

    This is a very gray area on how to use scanning of Exchange. If you notice in most cases you will need to speificy the persons mailbox name to really be able to manage the targets easily.

    If you scan the whole exchange site, you will see that the location has the persons name (folder) in the location. I do not think it will show you  the full Message ID, but I may be wrong.

    Good luck