Enterprise DLP
Why Are Emails Not Being Blocked?
Table of Contents
Why Are Emails Not Being Blocked?
Review your Email DLP and Enterprise Data Loss Prevention (E-DLP) configurations to understand why
an email containing sensitive data wasn't blocked.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Review your Email DLP and Enterprise Data Loss Prevention (E-DLP) configurations to help you
investigate why an email containing sensitive data wasn't blocked by Enterprise DLP. To investigate, you will need to review the DLP logs, the
connectors and transport rules, as well as your data patterns, profiles, and
Security policy rules to understand why one or more emails containing sensitive data
are not being blocked.
- Review your Email DLP logs to confirm that the email you believe contains sensitive data really contained sensitive data.If the email you want to investigate is listed here, it means that Email DLP configuration for Microsoft Exchange or Gmail are configured correctly. An Email DLP incident and log indicate that the email was forwarded to Enterprise DLP.If you can't find the email you want to investigate, it might mean that something is wrong with the Email DLP configurations for Microsoft Exchange or Gmail.
- Review your Email DLP incidents to confirm the email was allowed to leave your network.Select and for the Action filter, select Monitored to quickly filter for emails that were allowed to leave your network. If the email you are interested in is listed, view the Incident Details to gather the email Created On date, Sender, and Subject for the email. You can also download the email for your review.Additionally, make note of the Policy the email matched against. As part of the investigation, you need to review your Email DLP policy to ensure it is configured correctly.Select .In the Email DLP Logs, click View Logs.Locate the email you want to investigate using the Time Captures and Sender User columns.Review the Subject column for the email to understand whether sensitive data was detected in the email.Review the Status Note to gather additional information about the email.
- If the Email did not match with an Email DLP Policy or Email matched with a DLP Profile in a policy and evaluation was completed are displayed, it might mean you need to review and modify your data profile match criteria or Email DLP policy.
- If the Email DLP policy evaluation timed out is displayed, you might need to modify the Max Latency and Action on Max Latency settings.For example, if the Action on Max Latency is set to Allow, it means that Enterprise DLP allowed the outbound email to leave your network even though the forwarded email evaluation timed out.
Review the Email DLP policy the email matched against to ensure it is configured correctly.Important Email DLP configurations to verify are the email sender conditions, the sender email domain, email recipient conditions, and recipient email domains to confirm that they are defined correctly. If these are not configured correctly, Email DLP is unable to inspect for and prevent exfiltration of outbound emails containing sensitive data.Additionally, you can review the Recommendations for Security Policy Rules for more information on recommendations and best practices for writing Security policy rules and managing your policy rulebase.Review the data patterns and data profiles associated with your Email DLP policy.For example, review your custom and file property data patterns to ensure the match criteria defined in them are configured correctly to inspect for and block the correct sensitive data. Incorrectly defined match criteria results in Enterprise DLP being unable to inspect for and prevent exfiltration of outbound emails containing sensitive data.If you are using predefined data patterns in your data profiles, you can add custom match criteria like proximity keywords to increase detection accuracy.Review the Email DLP configuration for your email provider.Microsoft Exchange Online or Gmail are unable to forward emails to Enterprise DLP if they are incorrectly configured and are unable forward outbound emails for inspection. Additionally, Email DLP is designed to inspect outbound emails only. Inspection of emails from within your network is not supported.When reviewing your Email DLP configurations, consider the following:- Have you updated your SFP record to add the required Enterprise DLP service IP addresses for Microsoft Exchange Online or Gmail?This is required to successfully forward outbound emails to Enterprise DLP.
- (Microsoft Exchange Online only) Are your transport rules enabled?In some cases, a newly created Microsoft Exchange transport rule might be disabled and require you to manually enable it. All transport rules, especially the transport and block rules, must be enabled to successfully forward outbound emails to Enterprise DLP and for Microsoft Exchange to take action based on the verdict rendered.
- Is the transport rule for Microsoft Exchange Online or Gmail configured correctly?If your email provider is unable to forward outbound emails to Enterprise DLP, then the email continues to its intended recipient.
- Is the block transport rule for Microsoft Exchange Online or Gmail configured correctly?For example, if there is a typo when you define the x-panw-action: block header that your email provider should take a block action on then the email continues to its intended recipient.
- (Microsoft Exchange Online only) Are managers assigned correctly in Active Directory configured?By default, Microsoft Exchange sends the outbound email to the target recipient if a manager isn't correctly assigned for the sender when you create a transport rule for manager approval.
