none
Having trouble creating a custom classification rule for DLP RRS feed

  • Question

  • I'm trying to create a custom rule package to use in a DLP rule in Exchange 2013. The rule in question will hold a list of words we want users to avoid using and prompt them with a policy tip to verify that they understand that the word(s) in question will cause the email to be reviewed and then let them override if needed. From reading through Developing Sensitive Information Rule Packages and Matching Methods and Techniques for Rule Packages on TechNet and this blog with a fully fleshed out example I was able to create the following rule (it's around 400 terms total but I included some of the non offensive examples)

    <?xml version=”1.0″ encoding=”utf-16″?>
     <RulePackage xmlns=”http://schemas.microsoft.com/office/2011/mce”&gt;
    	 <RulePack id=”b4b4c60e-2ff7-47b2-a672-86e36cf608be”>
    		  <Version major=”1″ minor=”0″ build=”0″ revision=”0″/>
    		  <Publisher id=”7ea13c35-0e58-472a-b864-5f2e717edec6″/>
    		  <Details defaultLangCode=”en-us”>
    			  <LocalizedDetails langcode=”en-us”>
    				  <PublisherName>InternalUser</PublisherName>
    				  <Name>Screener word list</Name>
    				  <Description>Detects the presence of pre-defined words we need to monitor</Description>
    			  </LocalizedDetails>
    		  </Details>
    	 </RulePack>
    	<Rules>
    		<!– Word match list–>
    		<Entity id=”acc59528-ff01-433e-aeee-13ca8aaee159″ patternsProximity=”300″ recommendedConfidence=”75″>
    			<Keyword id="Screener_List">
    				<Group matchStyle="string">
    					<Term>bet</Term>
    					<Term>collude</Term>
    					<Term>collusion</Term>
    					<Term>gamble</Term>
    					<Term>game a broker</Term>
    					<Term>game an order</Term>
    					<Term>game the broker</Term>
    					<Term>game the order</Term>
    					<Term>gaming a broker</Term>
    					<Term>gaming an order</Term>
    					<Term>gaming the broker</Term>
    					<Term>gaming the crowd</Term>
    					<Term>gaming the order</Term>
    					<Term>Inside information</Term>
    					<Term>insider</Term>
    					<Term>Jump ahead</Term>
    					<Term>Jump in front</Term>
    					<Term>Steal</Term>
    					<Term>Stole</Term>
    					<Term>FOR INTERNAL USE ONLY</Term>
    				</Group>
    			</Keyword>
    		</Entity>
    	</Rules>
    </RulePackage>


    But when I try to import via the following command

    New-ClassificationRuleCollection –FileData ([Byte[]]$(Get-Content -path "C:\DLP\test.xml" -Encoding byte -ReadCount 0))

    I get the following error:

    Unable to continue processing classification rule collection payload for decryption or further validations. Payload may contain invalid data.
        + CategoryInfo          : InvalidData: (:) [New-ClassificationRuleCollection], ClassificationR...yptionException
        + FullyQualifiedErrorId : [Server=BY2PR02MB412,RequestId=82192f38-4e5e-43d1-8774-c932e3ea962b,TimeStamp=3/17/2014 8:09:32 PM] [FailureCategory=Cmdlet-Classification 
       RuleCollectionDecryptionException] F08355D,Microsoft.Exchange.Management.ClassificationDefinitions.NewClassificationRuleCollection
        + PSComputerName        : pod51035psh.outlook.com 

    The Problem is I'm not 100% sure that I have the XML formatted correctly or if I'm doing something else wrong. I have tried the following :

    • Generating multiple random GUIDs for my XML
    • Saving the XML file as UTF-8 and UTF-8 without BOM
    • I even tried uploading the same example in the blog I mentioned above with the example GUIDs and new GUIDs and I get the same error.
    • I also tried using the MS example here at the bottom of the TechNet article Developing DLP Policy Template Files (the classification file creation and importing) with the supplied GUIDs and new GUIDs and received the same error as well

      
    Monday, March 17, 2014 8:44 PM

Answers

  • So I was able to figure out the format for a custom classification and here is an example of a custom word list with just a few words. Note that the GUIDs should be unique to your environment, but you might get away with using the ones here. I also had to use XML editor (XML Marker in my case) in order to get it to save in the proper format. Though i'm pretty sure NotePad++ would have worked as well if i fooled with the options enough.

    <?xml version="1.0" encoding="utf-16"?>
     <RulePackage xmlns="http://schemas.microsoft.com/office/2011/mce">
         <RulePack id="b4b4c60e-2ff7-47b2-a672-86e36cf608be">
              <Version major="1" minor="0" build="0" revision="0"/>
              <Publisher id="7ea13c35-0e58-472a-b864-5f2e717edec6"/>
              <Details defaultLangCode="en-us">
                  <LocalizedDetails langcode="en-us">
                      <PublisherName>MY COMPANY NAME</PublisherName>
                      <Name>RULE PACKAGE NAME</Name>
                      <Description>RULE PACKAGE DESCRIPTION/Description>
                  </LocalizedDetails>
              </Details>
         </RulePack>
        <Rules>
            <!-- bad word match list -->
             <Entity id="acc59528-ff01-433e-aeee-13ca8aaee159" patternsProximity="300" recommendedConfidence="75">
                    <Pattern confidenceLevel="75">                    
                                <IdMatch idRef="BadWordList" />
                    </Pattern>
             </Entity>
            <Keyword id="BadWordList">
                <Group matchStyle="word">
                    <Term>bet</Term>
                    <Term>Frontrun</Term>
                    <Term>gamble</Term>
                    <Term>game a broker</Term>
                    <Term>game an order</Term>
                    <Term>game the broker</Term>
                    <Term>game the order</Term>
                    <Term>gaming a broker</Term>
                    <Term>gaming an order</Term>
                    <Term>gaming the broker</Term>
                    <Term>gaming the crowd</Term>
                    <Term>gaming the order</Term>
                    <Term>Jump ahead</Term>
                    <Term>Jump in front</Term>
                    <Term>manipulate</Term>
                    <Term>manipulated</Term>
                    <Term>spoof</Term>
                    <Term>spook</Term>
                    <Term>Steal</Term>
                    <Term>Stole</Term>
                    <Term>FOR INTERNAL USE ONLY</Term>
                </Group>
            </Keyword>
             <LocalizedStrings>
                <Resource idRef="acc59528-ff01-433e-aeee-13ca8aaee159">
                     <Name default="true" langcode="en-us">
                            Name for this particular rule in this classifciation package
                    </Name>
                    <Description default="true" langcode="en-us">
                                      Description for for this particular rule in this classifciation package
                    </Description>
                </Resource>
            </LocalizedStrings>
        </Rules>
    </RulePackage>

    • Marked as answer by Iczersigma Wednesday, January 7, 2015 7:04 PM
    Friday, May 23, 2014 4:29 AM

All replies

  • I have the exact same problem with this!

    First thing in yours is:

     <RulePackage xmlns=”http://schemas.microsoft.com/office/2011/mce”&gt;

    Should be:

     <RulePackage xmlns="http://schemas.microsoft.com/office/2011/mce">

    Notepad.exe on my Win 2012 server does not let me select format to save as UTF-16, only UTF-8 so change the first line to utf-8.

    When you double-click on the XML it should open up in IE and allow you to see the full code. If it does you know it's working, if you get a blank IE tab or only the description you typed then it will not work.

    When copying to notepad.exe I've also had to do a Find\Replace with all the quotation marks to make them all ". Do not use ' or ”, replace them all with ".

    I have managed to get the example on this page working http://technet.microsoft.com/en-us/library/jj674704%28v=exchg.150%29.aspx

    I've been trying to get yours work, but no luck so far! I get:

    The classification rule collection payload failed to validate against its target schema. The following error is found
    on line number 16 at position 6 in the payload: The element 'Entity' in namespace
    'http://schemas.microsoft.com/office/2011/mce' has invalid child element 'Keyword' in namespace
    'http://schemas.microsoft.com/office/2011/mce'. List of possible elements expected: 'Pattern' in namespace
    'http://schemas.microsoft.com/office/2011/mce'.

    Thursday, May 22, 2014 7:44 PM
  • Forgot to addyou need two extra dashes, one at each side:
    <!–- Word match list -–>

    Thursday, May 22, 2014 7:52 PM
  • So I was able to figure out the format for a custom classification and here is an example of a custom word list with just a few words. Note that the GUIDs should be unique to your environment, but you might get away with using the ones here. I also had to use XML editor (XML Marker in my case) in order to get it to save in the proper format. Though i'm pretty sure NotePad++ would have worked as well if i fooled with the options enough.

    <?xml version="1.0" encoding="utf-16"?>
     <RulePackage xmlns="http://schemas.microsoft.com/office/2011/mce">
         <RulePack id="b4b4c60e-2ff7-47b2-a672-86e36cf608be">
              <Version major="1" minor="0" build="0" revision="0"/>
              <Publisher id="7ea13c35-0e58-472a-b864-5f2e717edec6"/>
              <Details defaultLangCode="en-us">
                  <LocalizedDetails langcode="en-us">
                      <PublisherName>MY COMPANY NAME</PublisherName>
                      <Name>RULE PACKAGE NAME</Name>
                      <Description>RULE PACKAGE DESCRIPTION/Description>
                  </LocalizedDetails>
              </Details>
         </RulePack>
        <Rules>
            <!-- bad word match list -->
             <Entity id="acc59528-ff01-433e-aeee-13ca8aaee159" patternsProximity="300" recommendedConfidence="75">
                    <Pattern confidenceLevel="75">                    
                                <IdMatch idRef="BadWordList" />
                    </Pattern>
             </Entity>
            <Keyword id="BadWordList">
                <Group matchStyle="word">
                    <Term>bet</Term>
                    <Term>Frontrun</Term>
                    <Term>gamble</Term>
                    <Term>game a broker</Term>
                    <Term>game an order</Term>
                    <Term>game the broker</Term>
                    <Term>game the order</Term>
                    <Term>gaming a broker</Term>
                    <Term>gaming an order</Term>
                    <Term>gaming the broker</Term>
                    <Term>gaming the crowd</Term>
                    <Term>gaming the order</Term>
                    <Term>Jump ahead</Term>
                    <Term>Jump in front</Term>
                    <Term>manipulate</Term>
                    <Term>manipulated</Term>
                    <Term>spoof</Term>
                    <Term>spook</Term>
                    <Term>Steal</Term>
                    <Term>Stole</Term>
                    <Term>FOR INTERNAL USE ONLY</Term>
                </Group>
            </Keyword>
             <LocalizedStrings>
                <Resource idRef="acc59528-ff01-433e-aeee-13ca8aaee159">
                     <Name default="true" langcode="en-us">
                            Name for this particular rule in this classifciation package
                    </Name>
                    <Description default="true" langcode="en-us">
                                      Description for for this particular rule in this classifciation package
                    </Description>
                </Resource>
            </LocalizedStrings>
        </Rules>
    </RulePackage>

    • Marked as answer by Iczersigma Wednesday, January 7, 2015 7:04 PM
    Friday, May 23, 2014 4:29 AM