檔案原則File policies

適用於:Microsoft Cloud App SecurityApplies to: Microsoft Cloud App Security


Microsoft 的威脅防護產品名稱即將變更。Threat protection product names from Microsoft are changing. 如需有關此變更的詳細資訊與其他更新,請參閱這裡Read more about this and other updates here. 我們將在不久的將來更新產品與文件中的名稱。We'll be updating names in products and in the docs in the near future.

檔案原則可讓您使用雲端提供者的 Api,來強制執行各式各樣的自動化流程。File Policies allow you to enforce a wide range of automated processes using the cloud provider's APIs. 設定原則可提供持續的相容性掃描、合法的電子文件探索工作、公開共用敏感性內容的 DLP,以及更多使用案例。Policies can be set to provide continuous compliance scans, legal eDiscovery tasks, DLP for sensitive content shared publicly, and many more use cases. Cloud App Security 可以根據 20 個以上的中繼資料篩選條件 (例如:存取層級、檔案類型) 來監視任何檔案類型。Cloud App Security can monitor any file type based on more than 20 metadata filters (for example, access level, file type).

支援的檔案類型Supported file types

Cloud App Security 的內建 DLP 引擎會藉由從所有一般檔) (類型中解壓縮文字來執行內容檢查,包括 Office、Open Office、壓縮檔案、各種 rtf 格式、XML、HTML 等等。Cloud App Security's built-in DLP engines perform content inspection by extracting text from all common file types (100+) including Office, Open Office, compressed files, various rich text formats, XML, HTML, and more.


引擎結合了每個原則底下的三個層面︰The engine combines three aspects under each policy:

  • 內容掃描是以預設範本或自訂運算式為基礎。Content scan based on preset templates or custom expressions.

  • 內容篩選包括使用者角色、檔案中繼資料、共用層級、組織群組整合、共同作業內容和其他可自訂的屬性。Context filters including user roles, file metadata, sharing level, organizational group integration, collaboration context, and additional customizable attributes.

  • 自動化控管和補救動作。Automated actions for governance and remediation. 如需詳細資訊,請參閱控制For more information, see Control.


    只保證會套用第一個觸發原則的治理動作。Only the governance action of the first triggered policy is guaranteed to be applied. 例如,如果檔案原則已經將 Azure 資訊保護 (AIP) 標籤套用至檔案,則第二個檔案原則無法將另一個 AIP 標籤套用至該檔案。For example, if a file policy has already applied an Azure Information Protection (AIP) label to a file, a second file policy cannot apply another AIP label to it.

啟用後,原則就會持續掃描您的雲端環境、識別出符合內容和內容篩選的檔案,並套用要求的自動化動作。Once enabled, the policy continuously scans your cloud environment and identifies files that match the content and context filters, and apply the requested automated actions. 若待用資料有任何違規,或建立新內容時發生任何違規,這些原則會加以偵測並補救。These policies detect and remediate any violations for at-rest information or when new content is created. 您可以使用即時警示,或使用主控台產生的報告來監視原則。Policies can be monitored using real-time alerts or using console-generated reports.

您可以建立的檔案原則範例如下︰The following are examples of file policies that can be created:

  • 公開共用檔案 - 藉由選取其共用層級為公開的所有檔案,來接收雲端中任何公開共用檔案的警示。Publicly shared files - Receive an alert about any file in your cloud that is publicly shared by selecting all files whose sharing level is public.

  • 公開共用的檔案名包含組織的名稱 -接收包含您組織名稱並公開共用之任何檔案的警示。Publicly shared filename contains the organization's name - Receive an alert about any file that contains your organization's name and is publicly shared. 選取檔案名稱包含貴組織名稱且為公開共用的檔案。Select files with a filename containing the name of your organization and which are publicly shared.

  • 與外部網域共用 - 針對任何與特定外部網域所擁有帳戶共用的檔案接收警示。Sharing with external domains - Receive an alert about any file shared with accounts owned by specific external domains. 例如,與競爭對手網域共用的檔案。For example, files shared with a competitor's domain. 選取您要限制共用的外部網域。Select the external domain with which you want to limit sharing.

  • 隔離上個期間未修改的共用檔案 - 針對近期內無人修改的共用檔案接收警示,以隔離它們或選擇開啟自動化動作。Quarantine shared files not modified during the last period - Receive an alert about shared files that no one modified recently, to quarantine them or choose to turn on an automated action. 排除在指定的日期範圍內未修改的所有私用檔案。Exclude all the Private files that weren't modified during a specified date range. 在 G Suite 上,您可以使用原則建立頁面上的 [隔離檔] 核取方塊,選擇隔離這些檔案。On G Suite, you can choose to quarantine these files, using the 'quarantine file' checkbox on the policy creation page.

  • 與未經授權使用者共用 - 針對與您組織中未經授權使用者群組共用的檔案接收通知。Sharing with unauthorized users - Receive an alert about files shared with unauthorized group of users in your organization. 選取未經授權共用的使用者。Select the users for whom sharing is unauthorized.

  • 敏感性副檔名 - 針對擁有極可能公開特定副檔名的檔案接收通知。Sensitive file extension - Receive an alert about files with specific extensions that are potentially highly exposed. 選取特定的副檔名 (例如憑證的 crt) 或檔名,將這些檔案排除在私人共用層級之外。Select the specific extension (for example, crt for certificates) or filename and exclude those files with private sharing level.

建立新的檔案原則Create a new file policy

若要建立新的檔案原則,請遵循此程序︰To create a new file policy, follow this procedure:

  1. 在主控台中,依序按一下 [控制]**** 和 [原則]****。In the console, click on Control followed by Policies.

  2. 按一下 [ 建立原則 ], 然後選取 [ 檔案原則]。Click Create policy and select File policy.

  3. 為您的原則命名並描述,如果希望,也可以範本為依據;如需原則範本的詳細資訊,請參閱 Control cloud apps with policies (使用原則控制雲端應用程式)。Give your policy a name and description, if you want you can base it on a template, for more information on policy templates, see Control cloud apps with policies.

  4. 為您的原則提供 [原則嚴重性]****。Give your policy a Policy severity. 如果您設定了 Cloud App Security,使其在特定原則嚴重性等級出現原則相符項目時傳送通知給您,此等級可用來判斷原則相符項目是否會觸發通知。If you have set Cloud App Security to send you notifications on policy matches for a specific policy severity level, this level is used to determine whether the policy's matches trigger a notification.

  5. 在 [類別]**** 內,將原則連結到最適當的風險類型。Within Category, link the policy to the most appropriate risk type. 此欄位僅供參考,有利於您稍後根據風險類型來搜尋特定的原則和警示。This field is informative only and helps you search for specific policies and alerts later, based on risk type. 您可能已根據要建立的原則類別,預先選取了風險。The risk may already be preselected according to the category for which you chose to create the policy. 檔案原則預設設定為 DLP。By default, File policies are set to DLP.

  6. 為此原則要作用的目標檔案建立篩選以設定哪些探索到的應用程式會觸發此原則。Create a filter for the files this policy will act on to set which discovered apps trigger this policy. 縮小原則篩選,直到您希望作用的一組精確檔案。Narrow down the policy filters until you reach an accurate set of files you wish to act upon. 限制的範圍越小,就越能避免誤報。Be as restrictive as possible to avoid false positives. 例如,如果您想要移除公用許可權,請記得新增 公用 篩選,如果您想要移除外部使用者,請使用「外部」篩選等。For example, if you wish to remove public permissions, remember to add the Public filter, if you wish to remove an external user, use the "External" filter etc.


    使用原則篩選時,Contains 只搜尋以逗號、點號、空格或底線分隔的完整文字。When using the policy filters, Contains searches only for full words – separated by comas, dots, spaces, or underscores. 例如,如果您搜尋 malwarevirus,會找到 virus_malware_file.exe,但不會找到 malwarevirusfile.exe。For example if you search for malware or virus, it finds virus_malware_file.exe but it does not find malwarevirusfile.exe. 如果您搜尋 malware.exe,則會在其檔案名中尋找具有惡意程式碼或 EXE 的所有檔案,而如果您使用引號來搜尋 "malware.exe" () 您只會找到包含 "malware.exe" 的檔案。If you search for malware.exe, then you find ALL files with either malware or exe in their filename, whereas if you search for "malware.exe" (with the quotation marks) you find only files that contain exactly "malware.exe". Equals 僅會搜尋完整字串。例如,如果您搜尋 malware.exe,會找到 malware.exe,但不會找到 malware.exe.txt。Equals searches only for the complete string, for example if you search for malware.exe it finds malware.exe but not malware.exe.txt.

  7. 在第一個 [套用到]**** 篩選下,為 Box、SharePoint、Dropbox、OneDrive 選取 [排除所選資料夾以外的所有檔案]**** 或 [選取的資料夾]****,您可以在其中對應用程式或特定資料夾中的所有檔案施行檔案原則。Under the first Apply to filter, select all files excluding selected folders or selected folders for Box, SharePoint, Dropbox, OneDrive, where you can enforce your file policy over all files on the app or on specific folders. 系統會將您重新導向,讓您登入雲端應用程式,然後新增相關的資料夾。You're redirected to sign in the cloud app, and then add the relevant folders.

  8. 在第二個 [套用到]**** 篩選下,選取 [所有檔案擁有者]****、[所選使用者群組中的檔案擁有者]**** 或 [除了所選群組之外的所有檔案擁有者]****。Under the second Apply to filter, select either all file owners, file owners from selected user groups or all file owners excluding selected groups. 然後選取相關的使用者群組,以判斷應包含在原則中的使用者和群組。Then select the relevant user groups to determine which users and groups should be included in the policy.

  9. 選取 [內容檢查方法]****。Select the Content inspection method. 您可以選取 [內建 DLP]****[資料分類服務]****You can select either Built-in DLP or Data Classification Services. 建議您使用 [資料分類服務]****。We recommend using Data Classification Services.

    啟用內容檢查後,您就可以選擇使用預設運算式或尋找其他自訂運算式。Once content inspection is enabled, you can choose to use preset expressions or to search for other customized expressions.

    此外,您也可以指定規則運算式,從結果中排除檔案。In addition, you can specify a regular expression to exclude a file from the results. 如果您有要從原則中排除的內部分類關鍵字標準,此選項會非常有用。This option is highly useful if you have an inner classification keyword standard that you want to exclude from the policy.

    您可以決定設定要至少比對到多少次內容違規數,才將該檔案視為違規。You can decide set the minimum number of content violations that you want to match before the file is considered a violation. 例如,如果您希望在發現內容中至少有 10 個信用卡號碼的檔案時接獲警示,您可以選擇 10。For example, you can choose 10 if you want to be alerted on files with at least 10 credit card numbers found within its content.

    當內容符合選取的運算式時,該違規文字會取代成 "X" 字元。When content is matched against the selected expression, the violation text is replaced with "X" characters. 根據預設,違規文字會加上遮罩,上下文會顯示違規文字前後的 100 個字元。By default, violations are masked and shown in their context displaying 100 characters before and after the violation. 運算式內容中的數位會以 "#" 字元取代,而且絕不會儲存在 Cloud App Security 中。Numbers in the context of the expression are replaced with "#" characters and are never stored within Cloud App Security. 您可以選取 [將違規的最後 4 個字元取消遮罩]**** 選項,將違規本身的最後 4 個字元取消遮罩。You can select the option to Unmask the last four characters of a violation to unmask the last four characters of the violation itself. 務必設定規則運算式要搜尋的資料類型:內容、中繼資料及/或檔案名稱。It's necessary to set which data types the regular expression searches: content, metadata and/or file name. 根據預設,會搜尋內容和中繼資料。By default it searches the content and the metadata.

  10. 選擇您想要 Cloud App Security 在偵測到相符項目時採取的 [治理]**** 動作。Choose the Governance actions you want Cloud App Security to take when a match is detected.

  11. 建立原則之後,您可以在 [檔案 原則 ] 索引標籤中加以查看。您一律可以編輯原則、校正其篩選,或變更自動化動作。Once you've created your policy, you can view it in the File policy tab. You can always edit a policy, calibrate its filters, or change the automated actions. 原則一建立就會自動啟用,並立即開始掃描雲端檔案。The policy is automatically enabled upon creation and starts scanning your cloud files immediately. 設定治理動作時請特別小心,因為它們可能會導致無法恢復的檔案存取權限遺失。Take extra care when you set governance actions, they could lead to irreversible loss of access permissions to your files. 建議您使用多個搜尋欄位,縮小篩選的範圍以明確表示您想要處理的檔案。It's recommended to narrow down the filters to exactly represent the files that you wish to act upon, using multiple search fields. 篩選器範圍愈小愈好。The narrower the filters, the better. 如需指引,您可以使用 [篩選器] 區段中的 [Edit and preview results (編輯和預覽結果)]**** 按鈕。For guidance, you can use the Edit and preview results button in the Filters section.


  12. 若要檢視檔案原則相符項目以及可能會違反原則的檔案,請依序按一下 [控制]**** 和 [原則]****。To view file policy matches, files that are suspected to violate the policy, click Control and then Policies. 使用頂端的 [類型]**** 篩選器,將結果篩選為僅顯示檔案原則。Filter the results to display only the file policies using the Type filter at the top. 如需每個原則的相符項目詳細資訊,請按一下某項原則。For more information about the matches for each policy, click on a policy. 如此即會顯示原則的「立即相符」檔案。This displays the "Matching now" files for the policy. 按一下 [歷程記錄]**** 索引標籤,查看符合原則的檔案中,最多六個月前的歷程記錄。Click the History tab to see a history back to up to six months of files that matched the policy.

檔案原則參考File policy reference

本節提供原則的參考詳細資訊,並說明每種原則類型和您可以針對每項原則設定的欄位。This section provides reference details about policies, providing explanations for each policy type and the fields that can be configured for each policy.

[檔案原則]**** 是一種 API 型原則,可讓您將 20 多項檔案中繼資料篩選 (包括擁有者和共用層級) 與內容檢查結果納入考量,藉此控制雲端中的組織內容。A File policy is an API-based policy that enables you to control your organization's content in the cloud, taking into account over 20 file metadata filters (including owner and sharing level) and content inspection results. 您可以根據原則結果,套用治理動作。Based on the policy results, governance actions can be applied. 您也可以透過協力廠商的 DLP 引擎,以及反惡意程式碼解決方案,來擴充內容檢查引擎。The content inspection engine can be extended via 3rd-party DLP engines as well as anti-malware solutions.

每個原則皆由下列部分組成:Each policy is composed of the following parts:

  • 檔案篩選 - 讓您可以根據中繼資料建立細微條件。File filters – Enable you to create granular conditions based on metadata.

  • 內容檢查 –可讓您根據 DLP 引擎結果縮小原則範圍。Content inspection – Enable you to narrow down the policy, based on DLP engine results. 您可以納入自訂運算式或預設運算式。You can include a custom expression or a preset expression. 也可以設定排除項目,以及選擇相符項目數。Exclusions can be set and you can choose the number of matches. 您也可以使用匿名為使用者名稱加上遮罩。You can also use anonymization to mask the username.

  • 動作 –此原則會提供一組治理動作,可在找到違規時自動套用。Actions – The policy provides a set of governance actions that can be automatically applied when violations are found. 這些動作分成共同作業動作、安全性動作和調查動作。These actions are divided into collaboration actions, security actions, and investigation actions.

  • 延伸模組 - 您可透過協力廠商引擎來執行內容檢查,以取得改善的 DLP 或反惡意程式碼功能。Extensions - Content inspection can be performed via 3rd-party engines for improved DLP or anti-malware capabilities.

檔案查詢File queries

為更簡化調查,您現在可以建立自訂的查詢,並儲存以供日後使用。To make investigation even simpler, you can now create custom queries and save them for later use.

  1. 在 [檔案] 頁面上,如上面所述使用篩選器,視需要向下切入您的應用程式。In the File page, use the filters as described above to drill down into your apps as necessary.

  2. 當您建置好查詢後,請按一下篩選右上角的 [另存新檔]**** 按鈕。After you've finished building your query, click the Save as button in the top right corner of the filters.

  3. 在 [ 儲存查詢 ] 快顯視窗中,為您的查詢命名。In the Save query pop-up, name your query.

  4. 日後若要再次使用這項查詢,請在 [查詢]**** 下向下捲動至 [儲存查詢]****,並選取您的查詢。To use this query again in the future, under Queries, scroll down to Saved queries and select your query.

後續步驟Next steps

若您遇到任何問題,我們隨時提供協助。If you run into any problems, we're here to help. 若要取得產品問題的協助或支援,請建立支援票證To get assistance or support for your product issue, please open a support ticket.