Data Loss Prevention

 View Only

  • 1.  DLP and Teams

    Posted Mar 24, 2020 12:26 PM
    Scenario:
    User is in Microsoft Teams, and is sending a message to another employee via the chat that contains sensitive in formation like a SSN or a CC#.  What I what to happen is when the user hits send, the upload start,  or at some point the a message pops up warning the user that the message they are about to send contains xyz personal information and will be send to a cloud location.
     I was trying to get Endpoint Notify Response Rule to accomplish this...will this work or is it even possible? If not does anyone hava suggestion to accomplish this?

    If someone has a procedure or example, i'd appreciate your help.


    ------------------------------
    Randolph Brooks Federal Credit Union
    ------------------------------


  • 2.  RE: DLP and Teams

    Posted Mar 25, 2020 03:51 AM
    Hi 

    Yes This is can be achieved. 

    You have first to add microsoft teams to the application monitoring inside the DLP as follows 

    Please go to System > Agent > Application monitoring > Add new application

    enter the name of the application and on all the other fields enter Teams\.exe and add the check box of which protocol you want to monitor the most important thing is application file  access and dont forget to enable application file access monitoring from the agent configuration 

    This should the steps to achieve your requests 

    let me know if you have anyother questions 

    Thanks 



    ------------------------------
    Fady Azab
    Senior Consultant
    CCIT GMBH
    ------------------------------

    Original Message


  • 3.  RE: DLP and Teams

    Posted Mar 25, 2020 10:42 AM
    Thank you for the response. I tried what you said and i am now getting an error when i use a Contextual Attribute in the Rule, (it will not fire on the rule and/or the Response rule)? Any suggestions there? I get the yellow triangle next to the response rule and the the rule in the policy.  Thanks again.

    ------------------------------
    Randolph Brooks Federal Credit Union
    ------------------------------

    Original Message


  • 4.  RE: DLP and Teams

    Posted Mar 25, 2020 10:59 AM
    do you have mulitple responses in the rule ? and what is it ?

    ------------------------------
    Fady Azab
    Senior Consultant
    CCIT GMBH
    ------------------------------

    Original Message


  • 5.  RE: DLP and Teams

    Posted Mar 25, 2020 11:23 AM



    Respectfully,

     

    Darren Dozier

    Information Security Analyst II

    desk: 210-6374583

    cell: 210-394-2748

    ddozier@rbfcu.org

    Randolph Brooks Federal Credit Union (ASC 1)

     

     




    Original Message


  • 6.  RE: DLP and Teams

    Posted Mar 26, 2020 04:01 AM
    Hi 

    You are using Microsoft team securlets , and the securelets can scan the teams reperository on demand scan , will not work real time. 

    if you want to acheive that on the Endpoint level you should use the dlp agent installed on the desktops , laptops. 

    You are recieving this error because you are using some rules in the group Tab whiich require to tier detection. 

    Thanks

    ------------------------------
    Fady Azab
    Senior Consultant
    CCIT GMBH
    ------------------------------

    Original Message


  • 7.  RE: DLP and Teams

    Posted Mar 26, 2020 04:18 AM
    Hi 

    Below are the steps to achieve what you are looking forward:

    1- System > Agents > Application Monitoring > Add Application , teams\.exe in all the fields.
    2- Select Application file access Read
    3- Save
    4. Navigate to System > Agent > Agent Configuration > Check Application file access in the channels tab

    By default , the application file access monitor the corresponding file types (.doc, .docx, .jar m ,mpp , .pdf , .ppt, .pptx, .rar, .rtf, .txt ,.wcm, .xls, .xslx, .zip 
    You can add more file extensions by going to agent configuration > Channelfilters number 3 .

    Note this will work if you have DLP Endpoint server and endpoint agents 
    Thanks

    ------------------------------
    Fady Azab
    Senior Consultant
    CCIT GMBH
    ------------------------------

    Original Message


  • 8.  RE: DLP and Teams

    Posted Apr 21, 2020 11:47 AM
    Hi, 

    I cam across this post and it was very helpful!  After implementing it though I am getting random pop-ups for *.Db files in the c:\Usesrs\name\AppData\Local\Microsoft\Windows\Caches\ folder
    and a *.automaticDestinations-ms file in c:\users\name\Appdata\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\ folder.

    I have done the flowing in my agent config but I cannot seem to have them ignored. Would you have any advice if you have seen this?

    Thank you, 

    Tom
    Ignore filter

    Original Message


  • 9.  RE: DLP and Teams

    Posted May 05, 2020 01:56 PM
    Thomas, your filter looks correct.  Are you saying you are able to detect text typed into a Teams chat session?
    Original Message


  • 10.  RE: DLP and Teams

    Posted May 16, 2024 11:25 AM

    Hi,

    This thread is really useful as I'm going implementing Teams for DLP.

    But now, a new behavior appeared as where DLP incident is being generated whenever I tried to Download/Click on the files that I've uploaded inside the Team's chat.

    However, the DLP Incident doesn't detect the original files, it'll display as <random characters>.tmp files with a logo of the original file.

    For example: I've uploaded a **** docs inside the Teams chat, and whenever I tried to Download/Click on the file, a DLP incident was triggered and the files inside the incident is 557y-287381-372837.tmp file with the logo of a Docs file.

    Is this a normal behavior for Application File Access?

    How does downloading a file is considered as an External action and being detected by DLP?


    Original Message