Using Cloud App Security to detect Social Security Numbers in Office365

So after reading a fellow Norwegian MVP Jan Vidar writing a blog post about using Azure IP and RMS to automatic classify content based upon containing a Norwegian Nation ID number. I decided to build upon that post, and how we can use Microsoft Cloud App Security to do content inspection on files in Office365 to detect the presense of these types of numbers in files.

Jan Vidar goes a good job explaning how the Norwegian Nation ID number is built up –> https://gotoguy.blog/2016/11/25/protecting-norwegian-national-id-number-with-azure-information-protection-and-rms/ and for RMS he also uses RegEx to detect these kind of numbers since they have a specific sequence and how it is built up.

Now Cloud App Security which I have blogged about earlier has an option to connect to Office365 to do content inspection http://msandbu.org/microsoft-cloud-app-security-integrating-with-office365/

So to ensure this is going to work I typed in a bogus nation ID number in a work documented contained in a Onedrive for Buisness for a specific user.

image

Then I needed to create a content inspection policy.

image

So first we need to create a new file policy.

image

So I give it a name, specify where the policy is going to be applied which is OneDrive for buisness and that it applies to all files.

image

Then I enabled content inspection and specified that I needed to use a regular expression. For some reason I couldn’t use the same regex that Jan Vidar had so I needed to create a new one.

\b(?:0[1-9]|[12]\d|3[01])(?:[04][1-9]|[15][0-2])\d{7}\b

(This site http://regexr.com/ is a life saver!)¨

image

Then I just specify that it should create an alert for each matching file detected. Now depending on the amount of files in the OneDrive structure or the users it might take some time, but go into Investigate –> Files

image

Now eventually you can see the file appearing in the list, if you open the file you can see that it matched the policy “Social Security number” and scan complete which states that the policy has finished inspecting the content.

image

It now appears in the Alerting pane based upon the policy.

image

So from within the alerting pane I can for instance put the user in quarantine or open up the document to double check if the content is actually valid.

image

Leave a Reply

Scroll to Top