Use Case 4: DLP error

This use case is designed to troubleshoot the emails with DLP X-Header response linked to DLP Errors. It is optional but recommended for troubleshooting DLP errors.

Steps

  1. In Microsoft Exchange admin center page, navigate to Mail flow > Rules. The Rules screen appears.
  2. Click Add a rule + > Create a new rule. The New transport rule screen appears.
  3. On the Set rule conditions page,
    1. Enter a unique name (ex. DLP Error) for the rule in the Name field.
    2. In Apply this rule if* field:
      1. Select The message headers… from the first drop-down list.
      2. Then select matches any of these text patterns from the second drop-down list.
      3. Click Enter text. The specify header name window appears.
      4. Enter message header X-Forcepoint-DLP-Email and then click Save.
      5. Click Enter words. The specify words or phrases window appears.
      6. Enter header texts DLP-Authentication-Failed, DLP-Scan-Failed, DLP-Timed-Out, DLP-Unexpected-Error, and DLP-Failed-Policy by clicking Add each time.
      7. Then click Save.
    3. In Do the following* field:
      1. Select Block the message from the first drop-down list.
      2. Then select reject the message and include an explanation from the second drop-down list.
      3. In specify rejection reason prompt, enter the alert message (ex. DLP Processing Error).
      4. Click Save.
      5. Then click + symbol twice in Do the following* field. Two new And fields will add.
    4. In the first And field:
      1. Select Block the message from the first drop-down list.
      2. Then select reject the message with the enhanced status code of from the second drop-down list.
      3. In enter enhanced status code prompt, enter the status code (ex. 5.7.1).
      4. Click Save.
    5. In the second And field:
      1. Select Generate incident report and send it to from the first drop-down list.
      2. Then select specify the recipients and the content from the second drop-down list.
      3. Click first Select one and add the email address to whom the report need to be sent.
      4. Click second Select one and select the message properties that need to be included in the report.


    6. When you complete setting the Set rule conditions page, click Next.
  4. On the Set rule settings page, configure the following settings:
    1. Select Enforced as Rule mode.
    2. Select High in Severity.
    3. Tick Stop processing more rules.
    4. When you complete setting the Set rule settings page, click Next.
  5. On the Review and finish page, verify the settings and click Finish.
  6. The Transport rule created successfully message appears. Then, click Done.

    The inbound mail flow rule for the DLP Error is created.

    Note: After creation of the mail flow rule (DLP Error), it might take 30 minutes or more for the new rule to be applied to emails.