Cloud App Security: Masking with File Policy

To be honest, I felt a bit fooled by the “masking” method. Well at first just by looking at the feature at file policy, I thought it has the capability to mask sensitive information on the files but I was wrong until I test it out myself.

Another honesty from me is that I had read 7 times on one of the paragraphs from Microsoft Docs, about masking, then only I notice this feature is just plain masking to prevent from viewing at administration side. #sadme #dummy


  • There are administration permission/role settings that you could manage. Will talk about this more on another blog
  • This doesn’t limit to only Office 365 Products.

It was this paragraph;

In addition, you can specify a regular expression to exclude a file from the results. This option is highly useful if you have an inner classification keyword standard that you want to exclude from the policy.
You can decide set the minimum number of content violations that you want to match before the file is considered a violation. For example, you can choose 10 if you want to be alerted on files with at least 10 credit card numbers found within its content.
When content is matched against the selected expression, the violation text is replaced with “X” characters. By default, violations are masked and shown in their context displaying 100 characters before and after the violation. Numbers in the context of the expression are replaced with “#” characters and are never stored within Cloud App Security. You can select the option to Unmask the last four characters of a violation to unmask the last four characters of the violation itself. It’s necessary to set which data types the regular expression searches: content, metadata and/or file name. By default, it searches the content and the metadata. 

So the policy is all the same stage;

  1. Define Condition
  2. Define Actions
  3. Define Exception
  4. Define Notification

Anyway, this blog will elaborate on how the masking works;

So I have created a file policy named “ID Card Masking”, so the purpose of this policy is to identify documents that contain “Malaysian Identification Card” and enable masking to prevent administrator to have the privilege to view full details and prevent having it to store in Cloud App Security.

  1. Go to Control > Policies



2. Expand ID Card Masking policy settings

  • I selected no template
  • Give a policy name
  • Give a level of severity
  • Give a Category type
  • Give some Filtering that this policy will act on (The clearer the better the match)
  • I selected a specific folder in my OneDrive for Business for this policy to act on
  • Next, I selected the Inspection method > Data Classification Service > Malaysian Identification Card
    • This part you can only choose 1 Data Classification for each file policy you created
  •  I checked Unmask last 4 sensitive information



3. Next, you will have to define notification and actions

  • So for notification, I leave it as default
  • For action, you have the option to apply AIP  on this document that matches to this policy


*The AIP label contain DLP labelling and AIP labelling for you to choose from

4. So after 3 minutes of this policy creation, you will be able to view matching result from Investigation tab or Policy.

  • Click on the Policy name (highligted)



  • Then it will show you the statement where the sensitive information found in the documents
  • And these sensitive informatino are masked and last 4 value are unmask


So yeah…that is how the masking works and looks like. If you would like more about what and how, do drop me an email or comment below 😀




Vectra: AI Threat Detection (Live Threat Detection)

Many industries are either in the prevent or in the forensic stage to resolve their threat. However, non are detecting active threats running in the enterprise. Thus, this will lead to huge implication to the enterprise.


Vectra is an Artificial Intelligent (AI) Threat Detection and Response. How cool is that?

Vectra uses algorithm to detect threats, instead of using a Database of threats to identify threats in the network environment.

What does Vectra do ;

  1. Is that it always keeps tracks of packets following in and out of the premises
  2. Detects types of threat that is found on a packet
  3. Keep tracks of the packet threat stage
  4. Provide “From” and “To” details of the transmission of packets
  5. Alert the premises’s technical team about threat
  6. Allow premises’s technical team to determine what types of threat to detect on packets

2 types of flow of compromise of threats;


  • Procedure steps threats
    • Go through number of stages to extract confidential data
  • Direct attack threats
    • Extract confidential data directly once compromise

These are the summarize definition of the image above (stages of threats);

Command & Control Botnet monetization Internal reconnaissance Lateral Movement Exfiltration

•Cyber admin  coordinate an attack over time

•Commonly associated with click fraud, sending spam or generating DDoS traffic at a target

Consume valuable resources

Damage the external reputation of the network

•Target is not an organization’s more critical assets

•Vital part of a targeted attack

•Begins shortly after an initial infection

•Allow Cybercriminals orient an attack inside a network and identify targets for lateral movement

•Establish multiple points of persistence in a network while moving deeper toward key assets Extract compromised data from inside a network to a remote external attacker

•Multiple hops or staging phases to evade security controls

Is good to know that there is a technology that could help enterprise to avoid threats attack first before being compromised.

Vectra detects Active Attacks;


Below is a graph of how most organization focus on which phases more to protect their environment from threats,