Adventures in Custom DLP Rules – Part Two

In the first part of this series, I showed you how to create a basic DLP XML file to import manually. Now I want to cover how to do this with Powershell. The end goal is to create a usable rule XML file for DLP Rules. Keep in mind that this is a very basic script which can create a very basic XML file. The script does not check the RegEx syntax, it will not verify the GUIDs generated are unique and will not upload this to the cloud automatically. This last qualifier can be changed if you are run the script from the Windows Azure PowerShell module and modify the script to run the lines versus putting them into a script file for you to run later.

Reference XML File
I took this XML file from a TechNet page and put this contents here for reference. This XML file was used for my mock up and what I am emulating with the script:

<?xml version="1.0" encoding="UTF-8"?>
<RulePackage xmlns="http://schemas.microsoft.com/office/2011/mce">
<RulePack id="db804fe3-3d00-4859-be48-e1c40b4384fe">
<Version revision="0" build="0" minor="0" major="1"/>
<Publisher id="312b8848-ff8d-4959-924d-0e7da14ca278"/>
<Details defaultLangCode="en-us">
<LocalizedDetails langcode="en-us">
<PublisherName>Bank DLP</PublisherName>
<Name>Social Security Numbers</Name>
<Description>Social Security Numbers</Description>
</LocalizedDetails>
</Details>
</RulePack>
<Rules>
<Entity id="41af5f83-6ef4-4020-adb2-f8771cdffc67" recommendedConfidence="85" patternsProximity="300">
<Pattern confidenceLevel="85">
<IdMatch idRef="FormattedSSN"/>
</Pattern>
<Pattern confidenceLevel="85">
<IdMatch idRef="UnformattedSSN"/>
</Pattern>
</Entity>
<Regex id="FormattedSSN"> (?!\b(\d)\1+-(\d)\1+-(\d)\1+\b)(?!123-45-6789|219-09-9999|078-05-1120)(?!666|000|9\d{2})\d{3}-(?!00)\d{2}-(?!0{4})\d{4} </Regex>
<Regex id="UnformattedSSN"> (?!\b(\d)\1+\b)(?!123456789|219099999|078051120)(?!666|000|9\d{2})\d{3}(?!00)\d{2}(?!0{4})\d{4} </Regex>
<LocalizedStrings>
<Resource idRef="41af5f83-6ef4-4020-adb2-f8771cdffc67">
<Name langcode="en-us" default="true">Social Security Number</Name>
<Description langcode="en-us" default="true">A custom classification for detecting Social Security Numbers with and without dashes.</Description>
</Resource>
</LocalizedStrings>
</Rules>
</RulePackage>

The PowerShell Script
To create the above XML file, I had several criteria in making the file. I needed GUIDs for several parts of the script, names, descriptions and other parts. All of these are included in the script. You will also be prompted for the RegEx syntax to be used in the DLP policy for rule matching in Exchange/Office 365. The script may appear rather complicated, but in fact it is rather simple. You are presented with a series of questions which populate the XML file and at the end there is an option to import the XML into Exchange or Office 365 for future rules.

Here is the script:

<#  
.SYNOPSIS
   	Creates XML file to be used for DLP rules in Exchange 2013 or Office 365.

.DESCRIPTION  
    Creates XML file to be used for DLP rules in Exchange 2013 or Office 365.  The XML file is very basic in version 1.1

.NOTES  
    Version      		: 1.1 - Created script for XML generation
    Wish list			: More options
				: Event logging
    Rights Required		: Local admin on server
    Sched Task Req'd		: No
    Exchange Version		: 2013
    Author       		: Just A UC Guy [JAUCG]
    Email/Blog/Twitter	        : ( ) 	https://justaucguy.wordpress.com/
    Dedicated Blog		: https://justaucguy.wordpress.com/
    Disclaimer   		: You are on your own.  This was not written by, support by, or endorsed by Microsoft.
    Info Stolen from 		: The interwebs.  See my blog post for source sites.
.LINK  
[TBD]

.EXAMPLE
	.\create-xmlfordlp.ps1

.INPUTS
	None. You cannot pipe objects to this script.
#>
cls
Write-host "#############################################################" -foregroundcolor green
Write-host "#                                                           #" -foregroundcolor green
Write-host "#     " -nonewline -foregroundcolor green
write-host "DLP Template XML File Builder" -nonewline
write-host "                         #" -foregroundcolor green
Write-host "#                                                           #" -foregroundcolor green
Write-host "#     This script will help construct a basic XML file      #" -foregroundcolor green
Write-host "#      that can be used to create a new DLP policy and      #" -foregroundcolor green
Write-host "#      a new transport rule to control certain information  #" -foregroundcolor green
Write-host "#      type.                                                #" -foregroundcolor green
Write-host "#                                                           #" -foregroundcolor green
Write-host "#                                       " -nonewline -foregroundcolor green
write-host "by Damian Scoles" -nonewline
write-host "    #" -foregroundcolor green
Write-host "#                                                           #" -foregroundcolor green
Write-host "#############################################################" -foregroundcolor green
Write-host " "
Write-host " "

# Generate GUIDs - for use in parts of the XML file
$guid = [guid]::NewGuid()
$guid2 = [guid]::NewGuid()
$guid3 = [guid]::NewGuid()

# Body of the script
Write-host "First we'll plug in the first couple of lines and then ask "
write-host "for some information for the DLP policy."
Write-host " "
Start-sleep -seconds 5
$filenameinput = read-host "Enter a filename for the xml part to be stored in.  Don’t worry about the extension, it will be added (i.e. SSNRule)"
$filename = $filenameinput+".txt"
$filenamexml = $filenameinput+".xml"
$directory = read-host "What directory will the files be stored in (i.e. c:\temp)"
Add-Content $directory"\"$filename  "<?xml version=`"1.0`" encoding=`"UTF-8`"?>"
Add-Content $directory"\"$filename  " <RulePackage xmlns=`"http://schemas.microsoft.com/office/2011/mce`">"
Add-Content $directory"\"$filename  "<RulePack id=`"$guid`">"
Add-Content $directory"\"$filename  "<Version revision=`"0`" build=`"0`" minor=`"0`" major=`"1`"/>"
Add-Content $directory"\"$filename  "<Publisher id=`"$guid2`"/>"

# Placeholder for future code to accept other languages
# $language = read-host "Choose which language for the XML file.  Default is 'en-us'."
$language = "en-us"
Add-Content $directory"\"$filename  " <Details defaultLangCode=`"$language`">"
Add-Content $directory"\"$filename  " <LocalizedDetails langcode=`"$language`">"
$publisher = read-host "Enter a Publisher Name (i.e. Ben Smith from That Company)"
Add-Content $directory"\"$filename  "<PublisherName>$publisher</PublisherName>"
$Name = read-host "Enter a name for the DLP rule (i.e. SSN Rule)"
Add-Content $directory"\"$filename  "<Name>$name</Name>"
$description = read-host "Enter a description for the DLP rule"
Add-Content $directory"\"$filename  "<Description>$description</Description>"
Add-Content $directory"\"$filename  "</LocalizedDetails>"
Add-Content $directory"\"$filename  "</Details>"
Add-Content $directory"\"$filename  "</RulePack>"
Add-Content $directory"\"$filename  " <Rules>"
Add-Content $directory"\"$filename  " <Entity id=`"$guid3`" recommendedConfidence=`"85`" patternsProximity=`"300`">"

# Loop through the number of RegEx conditions to be applied to the DLP rule.
$regexnum = read-host "Enter the number of RegEx expressions to be used for this rule (i.e. 1)"
$RegExID2 = @()
$i = 1
do {
$RegExID = read-host "Enter an ID or short name for the RegEx criteria (i.e. FormattedSSN)"
Add-Content $directory"\"$filename  " <Pattern confidenceLevel=`"85`">"
Add-Content $directory"\"$filename  "<IdMatch idRef=`"$RegExID`"/>"
Add-Content $directory"\"$filename  "</Pattern>"
$RegExID2 += $RegExID
Start-sleep -seconds 2
$i++
}
while ($i -le $regexnum)

Add-Content $directory"\"$filename  "</Entity>"

# Add the RegEx information
foreach ($line in $RegexID2) {
$regEx = read-host "Enter the RegEx expression to be used for this rule"
Write-host " "
Write-host "*** NOTE ***" -foregroundcolor green -nonewline
Write-host " This script " -nonewline
Write-host "cannot" -foregroundcolor red  -nonewline
Write-host " validate the RegEx expression you entered.  Please use an external website such as http://www.regexr.com/."
Write-host " "
Add-Content $directory"\"$filename  "<Regex id=`"$line`">$regEx</Regex>"
Start-sleep -seconds 2
}

Add-Content $directory"\"$filename  " <LocalizedStrings>"
Add-Content $directory"\"$filename  " <Resource idRef=`"$guid3`">"
Add-Content $directory"\"$filename  "<Name langcode=`"$language`" default=`"true`">$Name</Name>"
Add-Content $directory"\"$filename  "<Description langcode=`"$language`" default=`"true`">$Description</Description>"
Add-Content $directory"\"$filename  "</Resource>"
Add-Content $directory"\"$filename  "</LocalizedStrings>"
Add-Content $directory"\"$filename  "</Rules>"
Add-Content $directory"\"$filename  "</RulePackage>"
$fulldirectory = $directory+"\"+$filename
$fulldirectoryxml = $directory+"\"+$filenamexml

# Convert TXT file to an UTF8 formatted file.
$file_content = Get-Content $fulldirectory;
$file_content
[System.IO.File]::WriteAllLines($fulldirectoryxml, $file_content);
Start-sleep -seconds 5

# Menu for location to import the XML file into.
write-host "Do you want to import the policy?" -foregroundcolor green
$selection = read-host "Press y for yes or n for no."  
If ($selection -eq "y") {
	Write-host ""
	write-host "Enter 1 for Exchange 2013 or enter 2 for Office 365." -foregroundcolor yellow
	$version = read-host "Selecton"
	If ($version -eq "1") {
		# Import the XML file into Exchange
		New-ClassificationRuIeCoIIection -FileData ([Byte[]]$(get-content -Path $fulldirectory -Encoding Byte -ReadCount 0))
	}
	If ($version -eq "2") {
		#Azure Script - save as PS1 file
		Write-host "To import the file into Office 365,  you will need to run a PS1 script."
		$directory2 = read-host "In which directory do you want to save the Office 365 script  (i.e. c:\temp)"
		$filenameinput2 = read-host "Enter a filename for the ps1 file.  Don’t worry about the extension, it will be added (i.e. Office365)"
		$AzureScriptFile = $directory2+"\"+$filenameinput2+".ps1"
	
		# import the XML file into Office 365
	write-host " "
        write-host 'Make sure to define the directory for the $fulldirectory variable.' -foregroundcolor yellow
        write-host "Something like this:" -foregroundcolor yellow
        write-host '$fulldirectory = c:\temp\dlprule.xml'
	write-host " "
		Add-Content $directory2"\"$filenameinput2  "Please run these commands on a server that has the Windows Azure add-in for PowerShell:"
		Add-Content $directory2"\"$filenameinput2  '$LiveCred = Get-Credential'
		Add-Content $directory2"\"$filenameinput2  '$Session = New-PSSession -name ExchangeOnline -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection'
		Add-Content $directory2"\"$filenameinput2  'Import-PSSession $Session'
		Add-Content $directory2"\"$filenameinput2  'New-ClassificationRuIeCoIIection -FileData ([Byte[]]$(get-content -Path $fulldirectory -Encoding Byte -ReadCount 0))'
		Write-host "The script has been created.  Please copy this to a serve with the Windows Azure Add-In for PowerShell."
	}
	If ($version -ne ("y" -or "n")) {
		Write-host "Invalid entry"
	}
}

A quick run through of the Script Operation
The initial screen gives you a brief intro of the purpose of the script and what to expect:

XML-InitialScreen.

Next, a series of questions to help construct the XML file are asked:

XML-SeriesOfQuestions

A reminder that the script will not validate the RegEx syntax and provides a link to a site that can.

XML-RegExValidation

Lastly, will you import this XML now or later:

XML-Import

That’s it. Pretty simple. I will attempt to add more options later, but this is version 1.0 of the script.

Further Reading

PowerShell GUID creation
RegEx Checking Site
Export Text File to UTF8 format a required for these XML files.

Update – 11-26-2014
Fixed some typos and the XML file creation which was not working 100%.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s