Table of Contents
Analyze DLP reports
DLP transmits a substantial volume of data to Microsoft Purview, encompassing monitoring, policy matches, user activities, and subsequent actions. To effectively refine your policies and assess actions on sensitive items, you must engage with and respond to this data. Initially, telemetry enters the Audit Logs in the Microsoft Purview compliance portal, undergoes processing, and is subsequently directed to various reporting tools, each serving a distinct purpose.
All alerts and your interaction with them go through these six steps.
This table summarizes the different phases of managing Microsoft Purview Data Loss Prevention (DLP) alerts, including the actions taken at each stage and the considerations for policy tuning.
| Phase | Description |
|---|---|
| Trigger | The DLP alert is initiated when predefined policy conditions are met. The policy-defined actions, including alert generation, may be triggered. |
| Notify | Generated alerts are sent to the Microsoft 365 Defender portal and the DLP alert management dashboard. Users, administrators, and stakeholders can receive notifications through email. |
| Triage | During this phase, the alert is analyzed to determine its validity (true or false positive). The alert’s priority, owner, and severity are set based on the impact on the organization. False positives may lead to user unblocking. |
| Investigate | The assigned owner investigates the alert, correlates evidence, identifies the cause and impact, and devises a remediation plan. Tools like the Microsoft 365 Defender portal, DLP alert management dashboard, and Activity explorer are used. |
| Remediate | Remediation actions are taken based on the alert’s accuracy, severity, and impact. Options include monitoring, user education, policy actions, and integrating with Microsoft Purview Insider Risk Management for user risk monitoring. |
| Tune | Periodic policy adjustments are made to maintain effectiveness as data estate and business requirements evolve. Key aspects for tuning include policy scope, matching conditions, actions, and notifications. |
Analyze DLP activities by using Activity explorer
You can access the most recent 30 days of DLP data within the Activity Explorer by applying these built-in filters:
- Endpoint DLP events
- Files with sensitive information types
- Outbound data transfer events
- DLP policies that identified incidents
- DLP policy regulations that triggered alerts
| Activity Types | Source | Examples |
|---|---|---|
| Sensitivity Label | Microsoft Office, Azure Information Protection, SharePoint, Exchange, OneDrive | – Label applied – Label changed (upgraded, downgraded, or removed) – Autolabeling simulation – File read |
| Azure Information Protection (AIP) Labeling Activity | AIP Scanner and AIP clients | – Protection applied – Protection changed – Protection removed – Files discovered |
| Endpoint Data Loss Prevention (DLP) | Exchange, SharePoint, OneDrive, Teams Chat and Channel, On-premises SharePoint, On-premises file shares, Windows 10, Windows 11, macOS | – Deletion – Creation – Copy to clipboard – Modify – Read – Print – Rename – Copy to network share – Access by an unallowed app |
The Activity Explorer gathers a range of activities from various sources, such as sensitivity labeling, AIP activities, and Endpoint DLP events. These activities offer insights into the actions taken on files and content, aiding in the evaluation of the effectiveness of implemented controls and policies. Additionally, there are specific notes regarding monitoring limitations and reporting behaviors for false positives in Teams DLP verdicts.
Remediate DLP alerts in the Microsoft Purview compliance portal
This table summarizes the key aspects of DLP alert generation and management, including where alerts are triggered, how they are managed in the DLP Alerts dashboard, the extended capabilities in the Microsoft 365 Defender portal, alert retention periods, and a note about administrative unit restricted admins.
| Aspect | DLP Alert Generation and Management |
|---|---|
| Alert Triggering | When a user takes an action that aligns with the criteria specified in a DLP policy and you have configured Incident reports to generate alerts, DLP generates an alert. |
| Alert Handling in DLP Alerts Dashboard | The generated alert is placed in the DLP Alerts dashboard, where you can investigate, triage, specify investigation status, and monitor the progress towards resolution. |
| Additional Functionality in Microsoft 365 Defender Portal | DLP alerts are not only accessible in the DLP Alerts dashboard but also routed to the Microsoft 365 Defender portal. In the Defender portal, you can perform all the tasks available in the DLP Alerts dashboard and access further capabilities. |
| Alert Retention | It’s important to note that DLP alerts are retained for different durations in these two locations: – In the Microsoft 365 Defender portal, DLP alerts are retained for six months. – In the Microsoft Purview DLP alerts dashboard, they are available for 30 days. |
| Administrative Unit Restrictions | If you are an administrative unit restricted admin, you’ll have visibility into DLP alerts only for your specific administrative unit. |
The process of generating alerts varies between emails and SharePoint or OneDrive items. In the case of SharePoint and OneDrive, DLP actively scans both existing and newly created items, issuing alerts whenever a match with the policy criteria is detected. On the other hand, in Exchange, DLP scans newly received email messages and generates alerts when a policy match occurs. Notably, DLP does not perform scanning or matching for email items that existed prior in a mailbox or archive.
| Information to Access | Corresponding Activity |
|---|---|
| User overrides | DLP rule undo |
| Items that match a DLP rule | DLP rule matched |
Additionally, you can access DLP reports using the following cmdlets in the Security & Compliance PowerShell:
- Connect to Security & Compliance PowerShell
- Utilize the following cmdlets:
- Get-DlpDetailReport
- Get-DlpDetectionsReport
- Get-DlpSiDetectionsReport
However, since DLP reports require data retrieval from various sources within Microsoft 365, including Exchange, you can access the following cmdlets for DLP reports in Exchange PowerShell:
- Connect to Exchange PowerShell
- Employ these cmdlets:
- Get-DlpDetailReport
- Get-MailDetailDlpPolicyReport
Investigate DLP alerts in the Microsoft 365 Defender portal
This table summarizes the actions and steps for managing incidents and alerts within the Microsoft 365 Defender portal, including incident filtering, alert details, content inspection, advanced hunting, and remediation options.
| Action | Description |
|---|---|
| Access Incidents in Microsoft 365 Defender | Navigate to the Microsoft 365 Defender portal and select “Incidents” in the left-hand navigation menu to access the incidents page. |
| Filter Incidents by DLP Alerts | Click on “Filters” at the top right corner and choose “Service Source: Data Loss Prevention” to display all incidents associated with DLP alerts. |
| Search for Specific DLP Alerts and Incidents | Locate DLP alerts and incidents by searching for the DLP policy name associated with the alerts and incidents of interest. |
| View Incident Summary | To view the summary page of a specific incident, select the incident from the queue. Similarly, select an alert to access the DLP alert page. |
| Explore Alert Details | Access the “Alert story” for comprehensive information about the policy and the sensitive information types detected in the alert. Review the “Related Events” section for user activity details. |
| Inspect Sensitive Content and File Details | Examine matched sensitive content in the “Sensitive info types” tab and file content in the “Source” tab (permissions required). |
| Utilize Advanced Hunting for Investigation | Use “Advanced Hunting” to search through audit logs for user, files, and site locations. The “CloudAppEvents” table contains audit logs from various locations such as SharePoint, OneDrive, Exchange, and Devices. |
| Email Alert Remediation | If the alert pertains to an email message, you can download the message by selecting “Actions” > “Download email.” |
| File Alert Remediation in SharePoint or OneDrive | For alerts involving files in SharePoint Online or OneDrive for Business, you can perform actions like applying retention labels, unsharing, deleting, applying sensitivity labels, downloading (permissions required), or withdrawing feedback. |
| Access User Details for Remediation | For remediation actions, select the “User card” located at the top of the alert page to access user-specific details. |
Remediate DLP alerts generated by Defender for Cloud Apps
In the previous Sections we created the File policy for Cloud Apps that will discover content with Data Classification Service (https://learn.microsoft.com/en-us/defender-cloud-apps/dcs-inspection) and Sensitivity information types called “My demo”
Once there is a hit, you will see it under “View all matches”
Once you expand the all matches view, you can dig deeper to the results.
Full list of if actions you can take for the content
In example you can see the hierarchy of the matched content
And basically the Remediation tasks you can take are these.
As a recap, This table outlines notifications.
| Notification Types | Description |
|---|---|
| Alerts | Alerts can be initiated within the system and subsequently delivered via email, based on their respective severity levels. |
| User Email Notification | Customizable email messages will be sent to all file owners who violate specific policies. |
| Notify Specific Users | Notifications can be directed to a specific list of email addresses, ensuring that these designated recipients receive the notifications. |
| Notify Last File Editor | Notifications are sent to the last individual who modified the file, offering a targeted approach to communication. |
| Governance Actions in Apps | Individualized actions can be enforced on a per-app basis, with specific actions varying depending on the terminology and functionality of each app. |
And this table labeling, and governance actions that can be taken within the system, including their descriptions and specific capabilities.
| Labeling Actions | Description |
|---|---|
| Apply Label | The option to assign a Microsoft Purview Information Protection sensitivity label to a file. |
| Remove Label | The ability to remove a Microsoft Purview Information Protection sensitivity label from a file. |
| Change Sharing | A range of sharing-related actions: – Remove Public Sharing: Restrict access to named collaborators only. – Remove External Users: Limit access to company users. – Make Private: Restrict access to Site Admins only. – Remove a Collaborator: Eliminate specific collaborators’ access. – Reduce Public Access: Limit public availability to shared links. – Expire Shared Link: Set an expiration date for shared links. – Change Sharing Link Access Level: Modify the access level of shared links between company, collaborators, and public. |
| Quarantine Actions | Options for file quarantine: – Put in User Quarantine: Allow self-service by moving the file to a user-controlled quarantine folder. – Put in Admin Quarantine: Move the file to quarantine within the admin drive, requiring admin approval. |
| Permissions Inheritance | This governance action enables the removal of specific permissions assigned to a file or folder in Microsoft 365, reverting to the permissions set for the parent folder. |
| Trash | Move the file to the trash folder in supported platforms such as Box, Dropbox, Google Drive, OneDrive, SharePoint, and Cisco Webex. |
Closure
Like before, let’s see what we covered in this section.
DLP process
| Phase | Description |
|---|---|
| Trigger | DLP alerts initiation based on policy conditions, potentially triggering alert generation. |
| Notify | Dispatching alerts to the Microsoft 365 Defender portal, DLP alert dashboard, and email notifications to users and administrators. |
| Triage | Analyzing alerts for validity, setting priorities, and owners, with potential user unblocking for false positives. |
| Investigate | Investigation by the assigned owner, including evidence correlation, cause, and impact assessment, and remediation plan development using various tools. |
| Remediate | Taking actions based on alert accuracy, severity, and impact, such as monitoring, education, policy actions, or integration with Insider Risk Management. |
| Tune | Periodic policy adjustments to match evolving data and business needs, focusing on policy scope, matching conditions, actions, and notifications. |
You can access the most recent 30 days of DLP data within the Activity Explorer by applying these built-in filters:
- Endpoint DLP events
- Files with sensitive information types
- Outbound data transfer events
- DLP policies that identified incidents
- DLP policy regulations that triggered alerts
Microsoft Purview compliance portal
| Aspect | DLP Alert Generation and Management |
|---|---|
| Alert Triggering | DLP generates alerts when policy criteria are met and Incident reports are configured. |
| Alert Handling in DLP Alerts Dashboard | Alerts are placed in the DLP Alerts dashboard for investigation and triage. |
| Additional Functionality in Microsoft 365 Defender Portal | Alerts are accessible in the Defender portal with expanded capabilities. |
| Alert Retention | DLP alerts are retained for six months in the Defender portal and 30 days in the Purview DLP dashboard. |
| Administrative Unit Restrictions | Restricted admins see alerts for their specific unit. |
You can also use M365 Defender to remediate DLP Alerts
The actions you can take inside Cloud Apps
| Labeling Actions | Description |
|---|---|
| Apply Label | Assign a sensitivity label to a file. |
| Remove Label | Remove a sensitivity label from a file. |
| Change Sharing | Alter sharing settings, including public access, expiration, and access levels. |
| Quarantine Actions | Options for file quarantine, allowing user or admin control. |
| Permissions Inheritance | Remove specific file permissions, reverting to parent folder settings. |
| Trash | Move files to a trash folder in supported platforms. |
Link to main post
RSS - Posts