Searching for Sensitive Information Types

4.7/5 - (4 votes)

Over the course of your Office 365 administration duties, you may be called to locate data matching particular data patterns (such as matching a particular regular expression or a Sensitive Information Type), either for eDiscovery or data classification purposes.  The good news is you can actually do that.  In this post, we’re going to walk through a couple of ways of identifying sensitive data using the custom DLP rule package entities in my previous post.  The sensitive information types we’re going to look for are U.S. Social Security Numbers (but these steps will work for any of the sensitive information types).

Content Search and eDiscovery

In this set of steps, we’re going to choose a sensitive information type to search for using either PowerShell or the portal, and then use either Content Search or an eDiscovery case to look for matching content.

  1. Connect to the Office 365 PowerShell for the Compliance Center or navigate to the Security & Compliance Center | Classifications | Sensitive Information Types page and look for the name of the sensitive information type you wish to identify in Office 365.
  2. If doing it through PowerShell:
    1. Connect to Office 365 PowerShell:
      $Credential = Get-Credential
      $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $Credential -Authentication Basic -AllowRedirection
      Import-PSSession $Session
      Connect-MsolService -Credential $Credential
      $ComplianceSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $Credential -Authentication Basic -AllowRedirection
      Import-PSSession $ComplianceSession -AllowClobber
    2. Since the sensitive information types we’re looking for have a “Undocumented Features” as the publisher and Social Security as part of the name, we can run this cmdlet to create the filter we want:
      (Get-DlpSensitiveInformationType | ? { $_.Publisher -eq "Undocumented Features" -and $_.Name -like "*social security*" }).Name

    3. Keep this value handy.  You’ll need to copy and paste these names into a search box later on.
  3. If doing it through the Security & Compliance Center user interface, open a separate browser window or tab to the Sensitive Information Types page and keep the page handy.  You’ll need to copy and paste these names into a search box later on.
  4. Open the Security & Compliance Center| Search & Investigation and either create an eDiscovery case with a search or do a Content Search.  In this example, I’m just going to do a Content Search (since the search interface and process is nearly identical for an eDiscovery case).
  5. Create a search.  You can select + Guided Search follow the bouncing ball or select + New Search and enter data directly in the keywords box.  I did the wizard (Guided search) just because I like steps.
  6. Name the search.
  7. Select locations and click Next.
  8. On the Condition Card, enter a search for a Sensitive Information Type using the names of the Sensitive Type rules you identified under Classifications | Sensitive Information Types or from the PowerShell cmdlet earler, and then click Finish. The format is SensitiveType:”<name>” .  For each additional search term, make sure you use a capital OR.  You’ll need the names of the sensitive information templates earlier.  In my case, I’m going to use:
    SensitiveType:"Social Security Number Only (Function)" OR SensitiveType:"Social Security Number Only (Regular Expression)"
    
  9. Click Finish.
  10. Review the results.
  11. Export the results as necessary.

Applying labels for classification and search

You can create a label/classification for content and search for that in your tenant as well.  When using a label, you can either publish it (so that users can choose to apply it to relevant content) or you can publish and automatically apply it, meaning that if the content matches the rules of the sensitive information type, the label will be applied to the content automatically.  Note: if you are applying labels automatically, it will take some time for them to show up (from a few hours, up to a week or so, depending on the amount of content in Office 365 and when the various indexing processes run).  Using this process, newly created content will be tagged automatically and will show up much sooner in search results.

  1. Create a label in the Security & Compliance Center.  I created one called Social Security Label.  You can find detailed instructions for doing so here, but the gist is launch https://protection.office.com/#/tagslibrary, click + Create label, and then enter a name for it.
  2. Publish the label.  You can auto apply (EMS E5) or manual (EMS E3) the label.  I’m going to do auto application.  To do so, select the label, and then select Auto apply label.
  3. Verify that the label is correct and click Next.
  4. Select the radio button Apply label to content that contains sensitive information and click Next.
  5. Select Custom and click Next.
    +
  6. On the Sensitive information picker page, click + Add.
  7. Select the sensitive information types from the list displayed, and then click Add.
  8. Confirm the sensitive information types show up in the list and then click Done.
  9. Verify settings and click Next.
  10. Name the label policy (and optionally, you can provide a description) and click Next.
  11. Select a location and click Next.
  12. Confirm and click Auto-apply.  Note the name of the label that will be applied (located at the bottom of the page).

Searching for a label

Once you have applied labels to your content, you can then use content search to look for those values applied.  The user interface search term we’re going to leverage is Compliance Tag.

  1. Launch Search & Investigation and either create a case and a new search or just do a content search.  For this example, we’re just going to navigate to content search, but the same process applies to eDiscovery cases.
  2. Click + New search.
  3. Select the appropriate Locations radio button (I’m just going to search everything because it’s easy in this example), and then click the + Add conditions button.
  4. Select Compliance Tag out of the list, and then click Add.
  5. In the Conditions box, enter Social Security Label (the value specified in the last step of the previous section) and then click Save & run.  Don’t enter quotes, or you’ll receive this error later: The query of the search is invalid: Specified argument was out of the range of valid values. Parameter name: Double quotation mark in the middle of string property value is not supported by KQL.
  6. Enter a name for the search and click Save.
  7. After search completes, you can preview up to 500 of the returned results or export as you normally would.

Congratulations! You’ve got this.

author avatar
Aaron Guilmette
Helping companies conquer inferior technology since 1997. I spend my time developing and implementing technology solutions so people can spend less time with technology. Specialties: Active Directory and Exchange consulting and deployment, Virtualization, Disaster Recovery, Office 365, datacenter migration/consolidation, cheese.