Applies to: Exchange Server 2013, Exchange Online

Topic Last Modified: 2013-01-25

In Microsoft Exchange, you can establish an action to create an incident report within a DLP policy rule set. Additionally, you can indicate to whom the report should be sent and what to do with the original message. The incident report can contain any of the following information.

Content of an incident management report

The Generate Incident Report action enables users to send incident reports to an incident management mailbox. A single incident report will be generated for each message only if the Generate Incident Report action is applied within a policy.

The following is a complete list of the line names in the incident report template. The format column describes how to recognize each field in the report. The optional field column specifies what fields might not be in the Report for each rule match. The DLP specific column shows what fields exist as a result of the DLP feature.

Line name

Description

Format

Optional field

DLP specific

Message-Id

ID of the original sent message

Message-Id: ID of message

Mandatory

No

Sender

True sender of the original message

Sender: Email address of sender

Mandatory

No

Subject

Subject of the original message

Subject: end-user input subject string

Mandatory

No

To

Recipient or recipients of the original message

Each To line will only contain a single recipient, and there can be up to 10 recipients displayed in the Incident Report. If there are additional recipients, the next To line will display the remaining number of recipients.

To: Email address of recipient

Mandatory

No

CC

CC email address of the original message; the line is optional

Each CC line will only contain a single CC email address, and there can only be up to 10 CC email addresses that are displayed in the Incident Report. If there are additional CC addresses, the next CC line will display the remaining number of CC email addresses.

CC: Email address of CC recipient

Optional

No

BCC

BCC email address of the original message; the line is optional

Each BCC line will only contain a single BCC email address, and there can only be up to 10 BCC addresses that are displayed in the Incident Report. If there are additional BCC email addresses, the following BCC line will display the remaining number of BCC email addresses.

BCC: Email address of BCC recipient

Optional

No

Severity

Audit severity of the rule hit; displays the highest severity if multiple rules were hit.

Severity: Low, Medium, or High

Optional

No

Override

Displays if an override was reported for the message, and the justification of the override if provided.

Override: Yes, Justification: IW input justification string

Optional

Yes

False Positive

Displays if a false positive was reported for the message.

False Positive: Yes

Optional

Yes

Data Classification

Detected data classifications found in the original message; the line is optional.

Each data classification line will only contain a single detected classification along with its count, confidence, and recommended minimum confidence level. Up to 5 detected classifications will be displayed in the Incident Report. If the detected classification was an affinity, the count value does not apply and will not be shown.

Data Classification: sensitive information type, Count: instances of the sensitive information found in the message, Confidence: percent value, Recommended Minimum Confidence: percent value

Optional

Yes

Rule Hit

Displays all the rules that hit the original message.

Includes the name of the rule that was hit, the DLP Policy (optional) that the rule resides in, action(s) that were taken on the message because of the rule, data classification(s) in the rule that caused the rule to hit, and the definition of the rule.

Rule Hit: rule name, DLP Policy: DLP Policy name if applicable, Action: single action, Data Classification: sensitive information type, Definition: rule definition if applicable

Mandatory

No

ID Match

Displays the matched data classification, the exact matched content from the message, and the primary evidence of the data classification match; the line is optional.

ID Match: sensitive information type, Value: actual value of the sensitive data, Context: text around the sensitive data in the message

Optional

Yes

For more information