Create an Email DLP Sender Alert Policy

1. Log in to the Microsoft Exchange Online Compliance portal.
2. Select PoliciesData loss preventionPolicies and Create policy.
3. Create the a custom DLP policy.

   1. For Categories, select Custom.
   2. For Templates, select Custom policy.
   3. Click Next.

4. Enter a Name and Description, and click Next.
5. For the Assign admin units, leave the default Full directory and click Next.
6. When you Choose location to apply the policy, verify that the Exchange email Status is On.

   Set the Status to Off for all other locations and click Next.
7. To Define policy settings, select Create or customize advanced DLP rules and click Next.

   You are redirected to the Customize advanced DLP rules to a sender alert policy rules for the hosted quarantine transport rule.
8. Create the Email DLP sender alert policy rule when an email is sent to hosted quarantine.

   1. Create rule.
   2. Enter a Name and Description.
   3. In Conditions, select Add conditionHeader contains words or phrases.
   4. In the Enter header name field, enter x-panw-action.
   5. In the Enter words and then click 'Add' field, enter quarantine.
   6. Add.

   7. Turn On (enable) User notifications.
   8. Verify Notify the user who sent, shared, or last modified the content is enabled.
   9. (Optional) Check (enable) Customize the email text to provide a custom response to the sender when an email is sent to hosted quarantine for review.
   10. (Optional) Check (enable) Policy Types to provide customized data compliance tips.

   11. Turn Off (disable) Incident reports.
   12. Save.
   13. Verify the policy rule Status is On.

   14. Click Next.
9. For the Policy mode, select Turn it on right away and click Next.
10. Review the Email DLP sender alert policy and Submit.

    Click Done when prompted that the new policy was successfully created.
11. Back in the Policies, verify that the Email DLP sender alert policy is displayed and that the Status is On.