Stats
Actions
Tags
From cybersecurity-skills
Deploys endpoint DLP policies in Microsoft Purview to block sensitive data exfiltration via email, USB, cloud, and printing. For DLP agent deployment and content inspection.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills:implementing-endpoint-dlp-controlsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Use this skill when:
Use this skill when:
Do not use for network DLP (inline proxy-based) or cloud-only DLP (CASB).
Microsoft Purview → Data Classification → Sensitive info types
Built-in SITs for common data:
- Credit card number (PCI)
- Social Security Number (PII)
- Health records (HIPAA)
- Passport number
- Bank account number
Custom SIT example (Employee ID):
Pattern: EMP-[0-9]{6}
Confidence: High
Keywords: "employee id", "emp id", "staff number"
Microsoft Purview → Data loss prevention → Policies → Create policy
Policy Configuration:
1. Template: Financial / Medical / PII (or custom)
2. Locations: Devices (endpoint DLP)
3. Conditions:
- Content contains: Credit card numbers (min 5 instances)
- OR Content contains: SSN (min 1 instance)
4. Actions:
- Block: Prevent copy to USB, cloud, email
- Audit: Log but allow (for initial deployment)
- Notify: Show user notification with policy tip
5. User notifications:
- "This file contains sensitive data and cannot be copied to this location"
- Allow override with business justification (optional)
Monitored endpoint activities:
- Upload to cloud service (OneDrive, Dropbox, Google Drive)
- Copy to removable media (USB drives)
- Copy to network share
- Print document
- Copy to clipboard
- Access by unallowed browser (non-managed browser)
- Access by unallowed app
- Copy to Remote Desktop session
For each activity, configure:
- Audit only (log the action)
- Block with override (user can justify and proceed)
- Block (prevent action entirely)
Deploy DLP policy in "Test mode with notifications" first:
1. Policy runs in audit mode for 2-4 weeks
2. Review DLP alerts in Activity Explorer
3. Identify false positives
4. Tune SIT patterns and conditions
5. Add exclusions for legitimate workflows
6. Switch to "Turn on the policy" (enforcement)
Purview → Data loss prevention → Activity explorer
Key metrics:
- DLP policy matches per day/week
- Top matched sensitive info types
- Top users triggering DLP
- Top activities blocked (USB, cloud, email)
- Override rate (percentage of blocks overridden)
DLP incident response:
1. Review DLP alert with matched content
2. Verify sensitivity of detected data
3. Assess intent (accidental vs. intentional)
4. If intentional exfiltration → escalate to security incident
5. If accidental → educate user, refine policy
| Term | Definition |
|---|---|
| DLP | Data Loss Prevention; technology that detects and prevents unauthorized transmission of sensitive data |
| SIT | Sensitive Information Type; pattern matching rules for identifying sensitive data (regex, keywords, ML classifiers) |
| Policy Tip | User-facing notification explaining why an action was blocked and how to request an override |
| Content Inspection | Deep inspection of file contents to identify sensitive data patterns |
| Exact Data Match (EDM) | DLP matching against a specific database of known sensitive values (exact SSNs, employee records) |
npx claudepluginhub costrict-plugins-repo/mukul975-anthropic-cybersecurity-skills-cybersecurity-skillsImplements Microsoft Purview endpoint DLP policies to block sensitive data exfiltration via USB, email, cloud storage, and printing. For deploying agents and content inspection rules.
Deploys endpoint DLP controls to detect and prevent sensitive data exfiltration via email, USB, cloud storage, and printing. Configures Microsoft Purview DLP policies, content inspection rules, and sensitive information types.
Implements Microsoft Purview endpoint DLP controls to block sensitive data exfiltration via email, USB, cloud storage, and printing. For deploying DLP agents, content inspection policies, and compliance like GDPR, HIPAA.