Complex DLP Rule Design Is, Well...Complex

Matthew Silcox

12 Jul 2025 — 3 min read

One of the most common issues I'm tasked with resolving for my Purview customers is the structure of the DLP Rules within their DLP Policies. You build a rule based on common sense understanding and find that common sense isn't always the right approach.

It's easy to see the Boolean operator options in front of you and take them at face value. Looking at this rule logic, you would be forgiven for assuming that it would match on an email containing a Social Security number and an ITIN:

Unfortunately, that's not how Purview is expecting that condition to be built:

What you should do, is this:

Now we can add the Sensitive Information Type (SIT) that we want to link:

You would think that these are functionally the same, but Purview doesn't evaluate the first one as a Boolean "and". If you've built your rule that way, and you're not seeing the expected hits in the Activity Explorer, modify it to use a nested group.

❓Ok, but what about...

One thing to note is that there are still scenarios where you should use a non-nested group. Here, you can see that nesting a "Content Contains" condition only leaves a few options for the second condition:

But, adding a second condition gives you way more options (like, way-way more):

➕Bonus Options

One or the other:

One or the other, and, one or the other:

One or the other, and, one or the other AND another:

Hopefully this somewhat simplifies the complex. If you're having issues with your Purview DLP policies, let's connect and see where I can help!

Using Microsoft’s Data Security Stack to Prevent the Next Breach

AI is transforming industries worldwide, but it’s simultaneously creating one of the largest data risks we've ever seen. According to the Varonis 2025 State of Data Security Report, 95% of healthcare organizations have exposed sensitive cloud data, and 64% have employees using unverified AI tools. The same

Email SIT Finder Update: All Credentials Bundled Entity

Found this nugget buried in the Purview Blueprints Github repo. Figured I'd take a crack at integrating credential SITs into my EXO SIT Finder. The "All Credentials" Bundled SIT is multitudinous and complex, as you can see in the linked Learn Doc below. Current SITs being

Architectural Case Study | Extending Microsoft Purview with Fortra (Digital Guardian) DLP via the MIP SDK

This post is a continuation of a series. See part 1, here. Most enterprises already live in dual worlds. On one side, Microsoft Purview governs information inside Microsoft 365. But on the other, dedicated DLP platforms like Digital Guardian DLP control endpoints, networks, and file movement. So what's

Uniting Purview and Third-Party Data Security Products

As a consultant in the Microsoft Security & Compliance space, you learn that some projects are more like therapy sessions. Half the organization wants to migrate to Microsoft, and the other half, clutching their Varonis or Symantec licenses, waits in the shadows for their "I told you so"