Use Case 4: DLP error
This use case is designed to troubleshoot the emails with DLP X-Header response linked to DLP Errors. It is optional but recommended for troubleshooting DLP errors.
Steps
- In Microsoft Exchange admin center page, navigate to Mail flow > Rules. The Rules screen appears.
- Click Add a rule + > Create a new rule. The New transport rule screen appears.
-
On the Set rule conditions page,
- Enter a unique name (ex. DLP Error) for the rule in the Name field.
-
In Apply this rule if* field:
- Select The message headers… from the first drop-down list.
- Then select matches any of these text patterns from the second drop-down list.
- Click Enter text. The specify header name window appears.
- Enter message header X-Forcepoint-DLP-Email and then click Save.
- Click Enter words. The specify words or phrases window appears.
- Enter header texts DLP-Authentication-Failed, DLP-Scan-Failed, DLP-Timed-Out, DLP-Unexpected-Error, and DLP-Failed-Policy by clicking Add each time.
- Then click Save.
-
In Do the following* field:
- Select Block the message from the first drop-down list.
- Then select reject the message and include an explanation from the second drop-down list.
- In specify rejection reason prompt, enter the alert message (ex. DLP Processing Error).
- Click Save.
- Then click + symbol twice in Do the following* field. Two new And fields will add.
-
In the first And field:
- Select Block the message from the first drop-down list.
- Then select reject the message with the enhanced status code of from the second drop-down list.
- In enter enhanced status code prompt, enter the status code (ex. 5.7.1).
- Click Save.
-
In the second And field:
- Select Generate incident report and send it to from the first drop-down list.
- Then select specify the recipients and the content from the second drop-down list.
- Click first Select one and add the email address to whom the report need to be sent.
- Click second Select one and select the message properties that need to be included in the report.
- When you complete setting the Set rule conditions page, click Next.
-
On the Set rule settings page, configure the following settings:
- Select Enforced as Rule mode.
- Select High in Severity.
- Tick Stop processing more rules.
- When you complete setting the Set rule settings page, click Next.
- On the Review and finish page, verify the settings and click Finish.
-
The Transport rule created successfully message appears. Then, click Done.
The inbound mail flow rule for the DLP Error is created.
Note: After creation of the mail flow rule (DLP Error), it might take 30 minutes or more for the new rule to be applied to emails.