I was onsite at a customer trying to figure out why the Microsoft Exchange Server 2016 DLP policy (for US Social Security Numbers) was not catching email with a Social Security Number (SSN) in it. I even sent a list of 10 SSNs and it was not blocked either. Upon further research I found that the rule needs to include more than just a 9 digit number (with or without dashes) for it to take action on the message. This was done to prevent false positives.
Reading the fine print for Data Loss Prevention (DLP)
Sensitive information types in Exchange Server
For my customer, I need it to find any 9 digit number (with or without dashes) and trigger just on that – not look for any other conditions before taking action.
Step 1 – Create a custom DLP Rule for SSN
I saved this file as: CustomSSN-DLPrule.xml
<?xml version="1.0" encoding='UTF-8'?>
<RulePackage xmlns="http://schemas.microsoft.com/office/2011/mce">
<RulePack id="b4b4c60e-2ff7-47b2-a672-86e36cf608be">
<Version major="1" minor="0" build="0" revision="0"/>
<Publisher id="7ea13c35-0e58-472a-b864-5f2e717edec6"/>
<Details defaultLangCode="en-us">
<LocalizedDetails langcode="en-us">
<PublisherName>Craig Wentz</PublisherName>
<Name>Custom SSN Classification</Name>
<Description>Custom SSN Classification</Description>
</LocalizedDetails>
</Details>
</RulePack>
<Rules>
<!-- SSN -->
<Entity id="0ba2cb9d-4ef1-4fdd-bd16-c3f431363d4b" patternsProximity="300" recommendedConfidence="75">
<Pattern confidenceLevel="85">
<IdMatch idRef="FormattedSSN" />
</Pattern>
<Pattern confidenceLevel="85">
<IdMatch idRef="UnformattedSSN" />
</Pattern>
</Entity>
<Regex id="FormattedSSN">
(?!\b(\d)\1+-(\d)\1+-(\d)\1+\b)(?!123-45-6789|219-09-9999|078-05-1120)(?!666|000|9\d{2})\d{3}-(?!00)\d{2}-(?!0{4})\d{4}
</Regex>
<Regex id="UnformattedSSN">
(?!\b(\d)\1+\b)(?!123456789|219099999|078051120)(?!666|000|9\d{2})\d{3}(?!00)\d{2}(?!0{4})\d{4}
</Regex>
<LocalizedStrings>
<Resource idRef="0ba2cb9d-4ef1-4fdd-bd16-c3f431363d4b">
<Name default="true" langcode="en-us">
Social Security Number
</Name>
<Description default="true" langcode="en-us">
A custom classification for detecting Social Security numbers
</Description>
</Resource>
</LocalizedStrings>
</Rules>
</RulePackage>
The file, above, was slightly modified from this website:
ADVENTURES IN CUSTOM DLP RULES – PART ONE
Step 2 – Import the Custom DLP Rule into Exchange Server
New-ClassificationRuleCollection -FileData (Get-Content -Path "\\E2016Svr1\c$\temp\CustomSSN-DLPrule.xml" -Encoding Byte)
Step 3 – Create a New DLP Policy and include the Custom DLP Rule
Your new, custom DLP rule will now be listed with the other sensitive information types.
Links for Additional Information
Data Loss Prevention in Exchange 2016
Customize a built-in sensitive information type
Customize DLP – Built-In, Export, Import and create a new rule
Random SSN generator to use for testing
Craig's Exchange Server Tips - Home Page 