You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CloudAppSecurityDocs/data-protection-policies.md
+12-8Lines changed: 12 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,8 +7,6 @@ ms.topic: how-to
7
7
8
8
# File policies in Microsoft Defender for Cloud Apps
9
9
10
-
11
-
12
10
File Policies allow you to enforce a wide range of automated processes using the cloud provider's APIs. Policies can be set to provide continuous compliance scans, legal eDiscovery tasks, DLP for sensitive content shared publicly, and many more use cases. Defender for Cloud Apps can monitor any file type based on more than 20 metadata filters (for example, access level, file type).
13
11
14
12
## Supported file types
@@ -24,8 +22,9 @@ The engine combines three aspects under each policy:
24
22
* Context filters including user roles, file metadata, sharing level, organizational group integration, collaboration context, and additional customizable attributes.
25
23
26
24
* Automated actions for governance and remediation.
27
-
> [!NOTE]
28
-
> Only the governance action of the first triggered policy is guaranteed to be applied. For example, if a file policy has already applied a sensitivity label to a file, a second file policy cannot apply another sensitivity label to it.
25
+
26
+
> [!NOTE]
27
+
> Only the governance action of the first triggered policy is guaranteed to be applied. For example, if a file policy has already applied a sensitivity label to a file, a second file policy cannot apply another sensitivity label to it.
29
28
30
29
Once enabled, the policy continuously scans your cloud environment and identifies files that match the content and context filters, and apply the requested automated actions. These policies detect and remediate any violations for at-rest information or when new content is created. Policies can be monitored using real-time alerts or using console-generated reports.
31
30
@@ -55,7 +54,7 @@ To create a new file policy, follow this procedure:
55
54
56
55
1. Select **Create policy** and select **File policy**.
57
56
58
-
57
+
59
58
60
59
1. Give your policy a name and description, if you want you can base it on a template, for more information on policy templates, see [Control cloud apps with policies](control-cloud-apps-with-policies.md).
61
60
@@ -64,10 +63,12 @@ To create a new file policy, follow this procedure:
64
63
1. Within **Category**, link the policy to the most appropriate risk type. This field is informative only and helps you search for specific policies and alerts later, based on risk type. The risk may already be preselected according to the category for which you chose to create the policy. By default, File policies are set to DLP.
65
64
66
65
1.**Create a filter for the files this policy will act on** to set which discovered apps trigger this policy. Narrow down the policy filters until you reach an accurate set of files you wish to act upon. Be as restrictive as possible to avoid false positives. For example, if you wish to remove public permissions, remember to add the **Public** filter, if you wish to remove an external user, use the "External" filter and so on.
66
+
67
67
> [!NOTE]
68
68
> When using the policy filters, **Contains** searches only for full words – separated by commas, dots, spaces, or underscores. For example if you search for **malware** or **virus**, it finds virus_malware_file.exe but it does not find malwarevirusfile.exe. If you search for **malware.exe**, then you find ALL files with either malware or exe in their filename, whereas if you search for **"malware.exe"** (with the quotation marks) you find only files that contain exactly "malware.exe". **Equals** searches only for the complete string, for example if you search for **malware.exe** it finds malware.exe but not malware.exe.txt.
69
69
>
70
70
> For more information about File Policy Filters, see [File filters in Microsoft Defender for Cloud Apps](file-filters.md#file-filters).
71
+
71
72
1. Under the first **Apply to** filter, select **all files excluding selected folders** or **selected folders** for Box, SharePoint, Dropbox, or OneDrive, where you can enforce your file policy over all files on the app or on specific folders. You're redirected to sign in the cloud app, and then add the relevant folders.
72
73
73
74
1. Under the second **Apply to** filter, select either **all file owners**, **file owners from selected user groups** or **all file owners excluding selected groups**. Then select the relevant user groups to determine which users and groups should be included in the policy.
@@ -125,15 +126,18 @@ Each policy is composed of the following parts:
125
126
You can go to the Policy center to review file policy violations.
126
127
127
128
1. In the Microsoft Defender Portal, under **Cloud Apps**, go to **Policies** -> **Policy management**, and then select the **Information protection** tab.
129
+
128
130
1. For each file policy, you can see the file policy violations by selecting the **matches**.
129
131
130
-
![Screenshot of sample PCI matches.](media/pci-matches.png"Screenshot of sample PCI matches.")
132
+
:::image type="content" alt-text="Screenshot of sample PCI matches." source="media/pci-matches.png" lightbox="media/pci-matches.png":::
131
133
132
134
1. You can select the file itself to get information about the files.
133
135
134
-
![Screenshot of sample PCI content matches.](media/pci-content-matches.png"Screenshot of sample PCI content matches.")
136
+
:::image type="content" alt-text="Screenshot of sample PCI content matches." source="media/pci-content-matches.png" lightbox="media/pci-content-matches.png":::
137
+
138
+
1. For example, you can select **Collaborators** to see who has access to this file, and you can select **Matches** to see the Social Security numbers.
135
139
136
-
1. For example, you can select **Collaborators** to see who has access to this file, and you can select **Matches** to see the Social Security numbers.![Content matches credit card numbers.](media/content-matches-ccn.png"contentmatches Social Security numbers")
140
+
:::image type="content" alt-text="Content matches Social Security numbers." source="media/content-matches-ccn.png" lightbox="media/content-matches-ccn.png":::
0 commit comments