Summary data reports for DLP policies


Applies to: Exchange Online

Topic Last Modified: 2013-02-13

After you create data loss prevention (DLP) policies, you can find information about how those policies are affecting email in your company by reviewing summary DLP data reports. You’ll need this type of data to determine whether or not your DLP policies are effective as a part of your overall strategy to manage compliance issues with DLP policies. The reports, charts, and tables provide a quick view into how many messages your DLP polices are detecting over time. The reports provide a variety of data points about your rules and policies in an easy-to-read format. You can also use the built-in filtering available with the reports to create different views and learn even more about your compliance efforts.

You can find summary reports about DLP Policies by using a few different parts of the Exchange admin center or the Office 365 admin center. To learn more about navigating to the reports, see View reports about DLP policy detections.

For a quick view of the DLP policy detections during only the past 24 hours, go to Exchange admin center > Compliance Management > Data Loss Prevention. Here you’ll see all of your saved DLP policies along with a table of the following data.

ON - A check in the box indicates the policy is enabled.

MATCHES- Shows the number of detected items that matched this policy.

OVERRIDES- Shows the number of times a sender chose to override this policy by clicking a link in a Policy Tip. If the policy does not include using Policy Tips, there will be no data to collect and this value will always show a long dash. Learn more about Policy Tip options at Policy Tips.

FALSE POSITIVES- Shows the number of times a sender indicated that this policy detected something that they felt was not a legitimate reason for warning them. If the policy does not include using Policy Tips, there will be no data to collect and this value will always show a long dash. Learn more about Policy Tip options at Policy Tips.

MODE – Indicates the status of the policy and whether it is being tested or enforced. You can change the mode quickly, by clicking once to highlight the policy and then choosing another mode in the description column, which contains more information about the highlighted policy.

You can find a lot of detailed information about DLP policy detections on individual messages by using the Microsoft Office 365 Excel Plugin for Exchange Online Reporting. This reporting workbook is a tool that you can download and use along with Excel for more detailed analysis. In order to make use of the workbook, your system has to meet the software requirements listed on the tool’s download site, and you’ll need to download and run an installer program. The data for the charts in the workbook is obtained by a web service call from within Excel. After loading the summary data into the workbook, you can use Excel data slicers to perform analysis by changing the views, or use the other features of Excel to manage the data and identify trends or unusual activity. When such a condition is found, you can click through from the summary to the detail data. Learn more at Mail Protection Reports for Office 365.

As you apply DLP policies, you’ll expect them to help you detect sensitive information or compliance-related conditions in your email. However, they may not detect exactly what you expect either. You can learn the trends and effects of your policies by reviewing the data in DLP reports. If you need to provide information to someone else about how many messages are detected, when and by which rules, you can found out by reviewing the reports in the Office 365 admin center. If you have compliance goals that include decreasing your detection incidents over time, then you can find out whether your company is moving toward or away from such goals by reviewing the report data.

The charts and tables show information such as the number of transport rule matches for outbound mail or inbound mail within your DLP policies. The reports provide the name of the policy, the name of the rule associated with a policy, and the severity level of the matched item. You can sort the data to focus on different time periods or on specific DLP policies.

You can use a DLP policy with rules that do not specify any audit severity level. The severity level setting is a property of a single rule that you can change. When you don’t specify a severity level, the detections that are made for that rule show up in the DLP reports as Low data points. You can change the severity level that is associated with detected messages for a specific rule by using the DLP rules editor. Learn more about editing rules at Manage DLP policies.

There are additional reporting features available from the Exchange admin center:

  • Learn more about auditing reports - Use the Auditing page in the Exchange admin center to troubleshoot configuration issues by tracking specific changes made by administrators and to help you meet regulatory, compliance, and litigation requirements.

  • Track messages with delivery reports - Delivery Reports is a message tracking tool in the Exchange admin center that you can use to search for delivery status on email messages sent to or from users in your organization's address book, with a certain subject.

  • Run reports for voice mail calls - Unified Messaging (UM) call reports provide information about the calls forwarded to or placed by UM. Use these reports to monitor, troubleshoot, and report on UM for your organization.

    Trace an Email Message - The message trace feature enables Administrators to determine whether an email message was received, rejected, deferred, or delivered within the past 7 days. It also shows what actions have occurred to the message before reaching its final status.