Month: December 2022

Reviewing and Responding to DLP Alerts – Implementing Microsoft Purview data loss prevention (DLP)

Posted on by Adriana Guarin

In Chapter 10, Implementing Microsoft Purview Information Protection and Data Lifecycle Management, and so far in this chapter, you’ve learned how Microsoft’s information protection and DLP features can be used to detect sensitive information in your organization and then both classify and protect it. For example, when sending sensitive information through email, a DLP policy applied to Exchange Online can be used to cause Outlook to display a policy tip, as shown in Figure 11.25:

Figure 11.25 – Policy tip test

What happens, though, when users ignore the policy tip warning and send sensitive data anyway? That’s dependent on your DLP policy alerting settings.

Organizations with any subscription can create DLP alerts that are triggered on every matching activity. Organizations with A5, E5, or G5 subscriptions or an Office 365 Advanced Threat Protection Plan 2, Microsoft 365 E5 Compliance, or Microsoft 365 eDiscovery and Audit add-on license can configure aggregated alerts—meaning that DLP alerts will only show up based on a certain threshold.

DLP alerts show up in three places:

  • Microsoft Purview compliance portal| Data loss prevention | Alerts: Only DLP-related events and alerts
  • Microsoft Purview compliance portal| Alerts: All events and alerts in the compliance portal, including DLP alerts

•    Microsoft 365 Defender portal| Incidents & alerts | Alerts: All security-related events and alerts, including DLP alerts

In addition to those alert views, the event data is also surfaced in the following ways:

  • Microsoft Purview compliance portal| Data loss prevention | Activity explorer: All compliance activity, including DLP policy activity
  • Microsoft Purview compliance portal| Data classification | Activity explorer: All compliance activity, including DLP policy activity
  • Microsoft 365  Defender portal| Incidents & alerts | Incidents: DLP alerts as exfiltration incidents
  • Microsoft Purview compliance portal| Audit log: All activity and events in Microsoft 365, including DLP policy activity

In this last section of the book, you’ll look at activities you can perform in these areas to both review and respond to DLP events.