Share via

How to monitor ALL "Paste to Supported Browser", not just sensitive.

Bryan G 0 Reputation points
2025-04-28T13:47:14.82+00:00

I am struggling w/ "content contains" criteria that can be used to monitor ALL paste actions to supported browsers. I have tried using size properties, but a minimum of 10kb is expected. I have tried some other properties like file extension and can't get a simple policy to trigger.

I want to have an event trigger any time ANYTHING is pasted into a supported browser. Trying this so we can then correlate to recent "copy to clipboard" events to see if clipboard data copied to browser may have come from a MIP labeled document.

The key part of this question, though, is how to have the least restrictive criteria for the paste side. What "content contains" property is best used here to catch everything. If even possible.

Microsoft Purview
Microsoft Purview
A Microsoft data governance service that helps manage and govern on-premises, multicloud, and software-as-a-service data. Previously known as Azure Purview.
1,545 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. J N S S Kasyap 1,715 Reputation points Microsoft External Staff
    2025-04-28T16:51:04.5533333+00:00

    Hi @Bryan G

     Monitor all paste actions into supported browsers using Data Loss Prevention (DLP) policies, rather than focusing only on traditional sensitive data types. This can be a bit tricky, since DLP is primarily designed to detect and protect sensitive content.

    Here’s the approach you can use to monitor all paste actions:

    Policy Creation

    When creating a DLP policy, you’ll need to configure it broadly. Since DLP policies typically rely on content matching (like sensitive info types), you should create a custom Sensitive Information Type (SIT) that can detect any content.

    • Create a Custom SIT that uses a simple regular expression pattern like .{1,} to match any pasted text.

    Set the confidence level to Low and the minimum match count to 1.

    https://learn.microsoft.com/en-us/purview/sit-create-a-custom-sensitive-information-type

    Use of the "Content Contains" Criteria

    Rather than specifying known sensitive types, use your new catch-all Custom SIT for the "Content contains" condition. This will allow you to trigger events for any paste action that includes even a small amount of content.

    • Without matching content, DLP policies won't trigger DLP cannot detect paste activity alone without a content match.

    Actions for the Policy

    • Set the action to Audit to start capturing data without blocking paste actions initially.
    • This will allow you to gather logs of all paste activities without interrupting user experience.

    Later, you can correlate paste events with earlier "copy to clipboard" events, and track whether data from MIP-labeled documents was pasted into browsers.

    https://learn.microsoft.com/en-us/purview/dlp-create-deploy-policy?tabs=purview

    Endpoint DLP Configuration

    Because "Paste to supported browser" is an Endpoint DLP monitored activity, ensure:

    • Devices are properly onboarded to Endpoint DLP.
    • The Microsoft Purview Extension is deployed for browsers

    https://learn.microsoft.com/en-us/purview/endpoint-dlp-learn-about
    Once deployed:

    • Test first with a small pilot group of users or devices.
    • Review events in Activity Explorer to ensure you are capturing the expected paste activities.
    • Be prepared for higher event volume, since matching all paste actions can generate a lot of logs.
    • Adjust and tune policies if needed to reduce noise

    I hope this information helps. Please do let us know if you have any further queries.

    Kindly consider upvoting the comment if the information provided is helpful. This can assist other community members in resolving similar issues.

    Thank you.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.