Section 7 – Implement DLP – Monitor and manage DLP activities

Analyze DLP reports

DLP transmits a substantial volume of data to Microsoft Purview, encompassing monitoring, policy matches, user activities, and subsequent actions. To effectively refine your policies and assess actions on sensitive items, you must engage with and respond to this data. Initially, telemetry enters the Audit Logs in the Microsoft Purview compliance portal, undergoes processing, and is subsequently directed to various reporting tools, each serving a distinct purpose.

All alerts and your interaction with them go through these six steps.

This table summarizes the different phases of managing Microsoft Purview Data Loss Prevention (DLP) alerts, including the actions taken at each stage and the considerations for policy tuning.

TriggerThe DLP alert is initiated when predefined policy conditions are met. The policy-defined actions, including alert generation, may be triggered.
NotifyGenerated alerts are sent to the Microsoft 365 Defender portal and the DLP alert management dashboard. Users, administrators, and stakeholders can receive notifications through email.
TriageDuring this phase, the alert is analyzed to determine its validity (true or false positive). The alert’s priority, owner, and severity are set based on the impact on the organization. False positives may lead to user unblocking.
InvestigateThe assigned owner investigates the alert, correlates evidence, identifies the cause and impact, and devises a remediation plan. Tools like the Microsoft 365 Defender portal, DLP alert management dashboard, and Activity explorer are used.
RemediateRemediation actions are taken based on the alert’s accuracy, severity, and impact. Options include monitoring, user education, policy actions, and integrating with Microsoft Purview Insider Risk Management for user risk monitoring.
TunePeriodic policy adjustments are made to maintain effectiveness as data estate and business requirements evolve. Key aspects for tuning include policy scope, matching conditions, actions, and notifications.

Analyze DLP activities by using Activity explorer

You can access the most recent 30 days of DLP data within the Activity Explorer by applying these built-in filters:

  • Endpoint DLP events
  • Files with sensitive information types
  • Outbound data transfer events
  • DLP policies that identified incidents
  • DLP policy regulations that triggered alerts
Activity TypesSourceExamples
Sensitivity LabelMicrosoft Office, Azure Information Protection, SharePoint, Exchange, OneDrive– Label applied – Label changed (upgraded, downgraded, or removed) – Autolabeling simulation – File read
Azure Information Protection (AIP) Labeling ActivityAIP Scanner and AIP clients– Protection applied – Protection changed – Protection removed – Files discovered
Endpoint Data Loss Prevention (DLP)Exchange, SharePoint, OneDrive, Teams Chat and Channel, On-premises SharePoint, On-premises file shares, Windows 10, Windows 11, macOS– Deletion – Creation – Copy to clipboard – Modify – Read – Print – Rename – Copy to network share – Access by an unallowed app

The Activity Explorer gathers a range of activities from various sources, such as sensitivity labeling, AIP activities, and Endpoint DLP events. These activities offer insights into the actions taken on files and content, aiding in the evaluation of the effectiveness of implemented controls and policies. Additionally, there are specific notes regarding monitoring limitations and reporting behaviors for false positives in Teams DLP verdicts.

Remediate DLP alerts in the Microsoft Purview compliance portal

This table summarizes the key aspects of DLP alert generation and management, including where alerts are triggered, how they are managed in the DLP Alerts dashboard, the extended capabilities in the Microsoft 365 Defender portal, alert retention periods, and a note about administrative unit restricted admins.

AspectDLP Alert Generation and Management
Alert TriggeringWhen a user takes an action that aligns with the criteria specified in a DLP policy and you have configured Incident reports to generate alerts, DLP generates an alert.
Alert Handling in DLP Alerts DashboardThe generated alert is placed in the DLP Alerts dashboard, where you can investigate, triage, specify investigation status, and monitor the progress towards resolution.
Additional Functionality in Microsoft 365 Defender PortalDLP alerts are not only accessible in the DLP Alerts dashboard but also routed to the Microsoft 365 Defender portal. In the Defender portal, you can perform all the tasks available in the DLP Alerts dashboard and access further capabilities.
Alert RetentionIt’s important to note that DLP alerts are retained for different durations in these two locations: – In the Microsoft 365 Defender portal, DLP alerts are retained for six months. – In the Microsoft Purview DLP alerts dashboard, they are available for 30 days.
Administrative Unit RestrictionsIf you are an administrative unit restricted admin, you’ll have visibility into DLP alerts only for your specific administrative unit.

The process of generating alerts varies between emails and SharePoint or OneDrive items. In the case of SharePoint and OneDrive, DLP actively scans both existing and newly created items, issuing alerts whenever a match with the policy criteria is detected. On the other hand, in Exchange, DLP scans newly received email messages and generates alerts when a policy match occurs. Notably, DLP does not perform scanning or matching for email items that existed prior in a mailbox or archive.

Information to AccessCorresponding Activity
User overridesDLP rule undo
Items that match a DLP ruleDLP rule matched

Additionally, you can access DLP reports using the following cmdlets in the Security & Compliance PowerShell:

  • Connect to Security & Compliance PowerShell
  • Utilize the following cmdlets:
    • Get-DlpDetailReport
    • Get-DlpDetectionsReport
    • Get-DlpSiDetectionsReport

However, since DLP reports require data retrieval from various sources within Microsoft 365, including Exchange, you can access the following cmdlets for DLP reports in Exchange PowerShell:

  • Connect to Exchange PowerShell
  • Employ these cmdlets:
    • Get-DlpDetailReport
    • Get-MailDetailDlpPolicyReport

Investigate DLP alerts in the Microsoft 365 Defender portal

This table summarizes the actions and steps for managing incidents and alerts within the Microsoft 365 Defender portal, including incident filtering, alert details, content inspection, advanced hunting, and remediation options.

Access Incidents in Microsoft 365 DefenderNavigate to the Microsoft 365 Defender portal and select “Incidents” in the left-hand navigation menu to access the incidents page.
Filter Incidents by DLP AlertsClick on “Filters” at the top right corner and choose “Service Source: Data Loss Prevention” to display all incidents associated with DLP alerts.
Search for Specific DLP Alerts and IncidentsLocate DLP alerts and incidents by searching for the DLP policy name associated with the alerts and incidents of interest.
View Incident SummaryTo view the summary page of a specific incident, select the incident from the queue. Similarly, select an alert to access the DLP alert page.
Explore Alert DetailsAccess the “Alert story” for comprehensive information about the policy and the sensitive information types detected in the alert. Review the “Related Events” section for user activity details.
Inspect Sensitive Content and File DetailsExamine matched sensitive content in the “Sensitive info types” tab and file content in the “Source” tab (permissions required).
Utilize Advanced Hunting for InvestigationUse “Advanced Hunting” to search through audit logs for user, files, and site locations. The “CloudAppEvents” table contains audit logs from various locations such as SharePoint, OneDrive, Exchange, and Devices.
Email Alert RemediationIf the alert pertains to an email message, you can download the message by selecting “Actions” > “Download email.”
File Alert Remediation in SharePoint or OneDriveFor alerts involving files in SharePoint Online or OneDrive for Business, you can perform actions like applying retention labels, unsharing, deleting, applying sensitivity labels, downloading (permissions required), or withdrawing feedback.
Access User Details for RemediationFor remediation actions, select the “User card” located at the top of the alert page to access user-specific details.

Remediate DLP alerts generated by Defender for Cloud Apps

In the previous Sections we created the File policy for Cloud Apps that will discover content with Data Classification Service ( and Sensitivity information types called “My demo”

Once there is a hit, you will see it under “View all matches”

Once you expand the all matches view, you can dig deeper to the results.

Full list of if actions you can take for the content

In example you can see the hierarchy of the matched content

And basically the Remediation tasks you can take are these.

As a recap, This table outlines notifications.

Notification TypesDescription
AlertsAlerts can be initiated within the system and subsequently delivered via email, based on their respective severity levels.
User Email NotificationCustomizable email messages will be sent to all file owners who violate specific policies.
Notify Specific UsersNotifications can be directed to a specific list of email addresses, ensuring that these designated recipients receive the notifications.
Notify Last File EditorNotifications are sent to the last individual who modified the file, offering a targeted approach to communication.
Governance Actions in AppsIndividualized actions can be enforced on a per-app basis, with specific actions varying depending on the terminology and functionality of each app.

And this table labeling, and governance actions that can be taken within the system, including their descriptions and specific capabilities.

Labeling ActionsDescription
Apply LabelThe option to assign a Microsoft Purview Information Protection sensitivity label to a file.
Remove LabelThe ability to remove a Microsoft Purview Information Protection sensitivity label from a file.
Change SharingA range of sharing-related actions: – Remove Public Sharing: Restrict access to named collaborators only. – Remove External Users: Limit access to company users. – Make Private: Restrict access to Site Admins only. – Remove a Collaborator: Eliminate specific collaborators’ access. – Reduce Public Access: Limit public availability to shared links. – Expire Shared Link: Set an expiration date for shared links. – Change Sharing Link Access Level: Modify the access level of shared links between company, collaborators, and public.
Quarantine ActionsOptions for file quarantine: – Put in User Quarantine: Allow self-service by moving the file to a user-controlled quarantine folder. – Put in Admin Quarantine: Move the file to quarantine within the admin drive, requiring admin approval.
Permissions InheritanceThis governance action enables the removal of specific permissions assigned to a file or folder in Microsoft 365, reverting to the permissions set for the parent folder.
TrashMove the file to the trash folder in supported platforms such as Box, Dropbox, Google Drive, OneDrive, SharePoint, and Cisco Webex.


Like before, let’s see what we covered in this section.

DLP process

TriggerDLP alerts initiation based on policy conditions, potentially triggering alert generation.
NotifyDispatching alerts to the Microsoft 365 Defender portal, DLP alert dashboard, and email notifications to users and administrators.
TriageAnalyzing alerts for validity, setting priorities, and owners, with potential user unblocking for false positives.
InvestigateInvestigation by the assigned owner, including evidence correlation, cause, and impact assessment, and remediation plan development using various tools.
RemediateTaking actions based on alert accuracy, severity, and impact, such as monitoring, education, policy actions, or integration with Insider Risk Management.
TunePeriodic policy adjustments to match evolving data and business needs, focusing on policy scope, matching conditions, actions, and notifications.

You can access the most recent 30 days of DLP data within the Activity Explorer by applying these built-in filters:

  • Endpoint DLP events
  • Files with sensitive information types
  • Outbound data transfer events
  • DLP policies that identified incidents
  • DLP policy regulations that triggered alerts

Microsoft Purview compliance portal

AspectDLP Alert Generation and Management
Alert TriggeringDLP generates alerts when policy criteria are met and Incident reports are configured.
Alert Handling in DLP Alerts DashboardAlerts are placed in the DLP Alerts dashboard for investigation and triage.
Additional Functionality in Microsoft 365 Defender PortalAlerts are accessible in the Defender portal with expanded capabilities.
Alert RetentionDLP alerts are retained for six months in the Defender portal and 30 days in the Purview DLP dashboard.
Administrative Unit RestrictionsRestricted admins see alerts for their specific unit.

You can also use M365 Defender to remediate DLP Alerts

The actions you can take inside Cloud Apps

Labeling ActionsDescription
Apply LabelAssign a sensitivity label to a file.
Remove LabelRemove a sensitivity label from a file.
Change SharingAlter sharing settings, including public access, expiration, and access levels.
Quarantine ActionsOptions for file quarantine, allowing user or admin control.
Permissions InheritanceRemove specific file permissions, reverting to parent folder settings.
TrashMove files to a trash folder in supported platforms.

Link to main post

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *