So after reading a fellow Norwegian MVP Jan Vidar writing a blog post about using Azure IP and RMS to automatic classify content based upon containing a Norwegian Nation ID number. I decided to build upon that post, and how we can use Microsoft Cloud App Security to do content inspection on files in Office365 to detect the presense of these types of numbers in files.
Jan Vidar goes a good job explaning how the Norwegian Nation ID number is built up > https://gotoguy.blog/2016/11/25/protecting-norwegian-national-id-number-with-azure-information-protection-and-rms/ and for RMS he also uses RegEx to detect these kind of numbers since they have a specific sequence and how it is built up.
Now Cloud App Security which I have blogged about earlier has an option to connect to Office365 to do content inspection http://msandbu.org/microsoft-cloud-app-security-integrating-with-office365/
So to ensure this is going to work I typed in a bogus nation ID number in a work documented contained in a Onedrive for Buisness for a specific user.
Then I needed to create a content inspection policy.
So first we need to create a new file policy.
So I give it a name, specify where the policy is going to be applied which is OneDrive for buisness and that it applies to all files.
Then I enabled content inspection and specified that I needed to use a regular expression. For some reason I couldn’t use the same regex that Jan Vidar had so I needed to create a new one.
\b(?:0[1-9]|[12]\d|3[01])(?:[04][1-9]|[15][0-2])\d{7}\b(This site http://regexr.com/ is a life saver!)¨
Then I just specify that it should create an alert for each matching file detected. Now depending on the amount of files in the OneDrive structure or the users it might take some time, but go into Investigate > Files
Now eventually you can see the file appearing in the list, if you open the file you can see that it matched the policy “Social Security number” and scan complete which states that the policy has finished inspecting the content.
It now appears in the Alerting pane based upon the policy.
So from within the alerting pane I can for instance put the user in quarantine or open up the document to double check if the content is actually valid.
