Setting up a DLP inspection mailbox

This guide will take you through the process of setting up a mailbox in your Office365 or G-Suite mail system that will enable scanning incoming and outgoing mail for sensitive information.

IMPORTANT - If you disable the DLP inspection rule or disconnect the service, make sure to undo the settings below (delete the rule in Office 365 or the routing settings in G-Suite) and empty or delete the BCC mailbox to prevent overflowing of the mailbox. 

Office365

  1. Creat a new mailbox account to be used for DLP inspection (e.g. dlp@foo.com)
  2. Login to Office365 as an admin, and go to Exchange Admin center: https://outlook.office365.com/ecp
  3. Select "mail flow" from the menu

  4. Click the Plus icon and select "Create a new rule"

  5. Click the "More options..." link

  6. Fill the dialog box:
    • Provide a name for the rule (e.g. DLP)
    • Select “Apply this rule if...” / "[Apply to all messages]"
    • Select “*Do the following...” / "Add recipients..." / "to the Bcc box"


    • In the dialog box that opens, search the DLP mailbox you have created and add it, then click "OK"



    • Click the "add action" button and select "Generate incident report and send it to..."

    • Select "Send incident report to: *Select one..." and select the DLP mailbox you have created.

    • Select "with content: *Include message properties" and check "recipients" and "original mail" then click "OK"



    • Click the "add action" button again and select "Modify the message properties..." and then "remove a message header". In the "message header" textbox that appears type Disposition-Notification-To and click "OK"

    • Save the new rule

  7. If you have connected your Office365 service to Coronet before Sprint 3.0 version with the DLP by Email feature was released (Feb. 2019), please reconnect your Office365 service in the CONFIGURE/Services menu in the Coronet console.

 

G-Suite

  1. Creat a new mailbox account to be used for DLP inspection (e.g. dlp@foo.com)
  2. Login to G-Suite as an admin, and go to your Google Admin Console https://admin.google.com
  3. In the Admin console, go to "Apps" / "G-Suite" / "Gmail" / "Advanced settings" (scroll down to see it)





  4. Scroll to the Routing setting in the Routing section, hover over the setting, and click Configure (or "Edit or Add another" if the setting is already configured)

  5. Fill the dialog box:
    • Enter a unique name for the setting (e.g. "DLP")
    • In "Messages to affect" check all boxes

    • Optional - use the "Envelop filter" to limit the scan to specific user accounts or groups.
    • Select "For the above types of messages, do the following" / "Modify message" and check the first two items ("Add X-Gm-Original-To header" and "Add X-Gm-Spam and X=Gm-Phishy headers")

    • Scroll down to “Also deliver to” and select "Add more recipients", click "Add" and select "Basic" and add the DLP mailbox you have configured in step 1, then "Save"



    • Click "Add settings" and "save" the configuration



  6. If you have connected your G-suite service to Coronet before Sprint 3.0 version with the DLP by Email feature was released (Feb. 2019), you will need to add mail access authorization to the Coronet app API scopes:
    • In the Coronet console, go to CONFIGURE/Services/G-Suite
    • Follow steps 1 to 4
    • In step 5, just make sure to add the mail URL "https://mail.google.com/" to the list of URLs at the API scope, and click Authorize.

 

 

0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.