Issues Checking Multiple Defender DLP Policies about scubagear HOT 5 CLOSED

Thanks for reporting this. We will look into it how to fix.

from scubagear.

Need to verify if the assumption that all policies are active and the result is the aggregated logical AND of all those policies or not.

from scubagear.

from scubagear.

Reviewed 12/14

@schrolla @buidav Please review and close if this is OBE. If it is still valid, please check to ensure the size and priority labels are accurate.

from scubagear.

While the DLP capability allows for processing and evaluating multiple policies in the specified order, the baseline states that "a custom policy" shall be configured. So the requirement being assessed is that a single custom policy contains one or more rules with ALL sensitive info types present. The bug stated above, as I understand it, and please correct me if I'm wrong, is that the test scenario splits the sensitive info types across two different policies. In the case above, I'd evaluate the assessment result as a fail on MS.DEFENDER.4.1v1 as neither has a set of rules that contain the 3 minimum info types (SSN, PII, TIN).
The Defender code was updated for the upcoming release which improved the evaluation logic. I ran a test by creating two custom policies as described above: 1 targeting Teams with SSN, CC, and Passport and a second targeting Devices with only CC. Neither policy included ITIN and these were the only two policies set to On. I ran the test in a G5 tenant. The result was a fail, as expected since no policy contains the required ITIN (which is identified as the missing type in the fail report details for MS.DEFENDER.4.1v1). Also note, that since no single custom policy meets 4.1 the ancillary baselines for MS.DEFENDER.4.2-4.4 also fail since they check additional settings associated with the required info type rules.

As such, I believe the upcoming release addresses this issue by resolving the false positive and that this item can be closed.

from scubagear.