Data loss prevention activity logging
Warning
The schema documented in this article is deprecated and won't be available starting in July 2024. You can use the new schema available at Activity category: Data policy events.
Note
Activity logging for data loss protection policies is not currently available in sovereign clouds.
Data loss protection (DLP) policy activities are tracked from the Microsoft 365 Security and Compliance Center.
To log DLP activities, follow these steps:
Sign in to the Security & Compliance center as a tenant admin.
Select Search > Audit log search.
Under Search > Activities, enter dlp. A list of activities appears.
Select an activity, select outside the search window to close it, and then select Search.
On the Audit log search screen, you can search audit logs across many popular services including eDiscovery, Exchange, Power BI, Microsoft Entra ID, Microsoft Teams, customer engagement apps (Dynamics 365 Sales, Dynamics 365 Customer Service, Dynamics 365 Field Service, Dynamics 365 Marketing, and Dynamics 365 Project Service Automation), and Microsoft Power Platform.
After you access Audit log search, you can filter for specific activities by expanding Activities and then scrolling to find the section dedicated to Microsoft Power Platform activities.
What DLP events are audited
The following are the user actions you can audit:
- Created DLP Policy: When a new DLP policy is created
- Updated DLP Policy: When an existing DLP policy is updated
- Deleted DLP Policy: When a DLP policy is deleted
Base schema for DLP audit events
Schemas define which fields are sent to the Microsoft 365 Security and Compliance Center. Some fields are common to all applications that send audit data to Microsoft 365, while others are specific to DLP policies. In the following table, Name and Additional Info are the DLP policy–specific columns.
Field name | Type | Mandatory | Description |
---|---|---|---|
Date | Edm.Date | No | Date and time of when the log was generated in UTC |
App Name | Edm.String | No | Unique Identifier of the PowerApp |
Id | Edm.Guid | No | Unique GUID for every row logged |
Result Status | Edm.String | No | Status of the row logged. Success in most cases. |
Organization Id | Edm.Guid | Yes | Unique identifier of the organization from which the log was generated. |
CreationTime | Edm.Date | No | Date and time of when the log was generated in UTC |
Operation | Edm.Date | No | Name of operation |
UserKey | Edm.String | No | Unique Identifier of the User in Microsoft Entra ID |
UserType | Self.UserType | No | The audit type (Admin, Regular, System) |
Additional Info | Edm.String | No | More information if any (e.g. the environment name) |
Additional Info
The Additional Info field is a JSON object that contains operation-specific properties. For a DLP policy operation, it contains the following properties.
Field name | Type | Mandatory? | Description |
---|---|---|---|
PolicyId | Edm.Guid | Yes | The GUID of the policy. |
PolicyType | Edm.String | Yes | The policy type. Allowed values are AllEnvironments, SingleEnvironment, OnlyEnvironments, or ExceptEnvironments. |
DefaultConnectorClassification | Edm.String | Yes | The default connector classification. Allowed values are General, Blocked, or Confidential. |
EnvironmentName | Edm.String | No | The name (GUID) of the environment. This is only present for SingleEnvironment policies. |
ChangeSet | Edm.String | No | Changes made to the policy. These are only present for update operations. |
The following is an example of the Additional Info JSON for a create or delete event.
{
"policyId": "1aaaaaa1-2bb2-3cc3-4dd4-5eeeeeeeeee5",
"policyType": "SingleEnvironment",
"defaultConnectorClassification": "General",
"environmentName": "8a11a4a6-d8a4-4c47-96d7-3c2a60efe2f5"
}
The following is an example of the Additional Info JSON for an update operation that:
- Changes the policy name from oldPolicyName to newPolicyName.
- Changes the default classification from General to Confidential.
- Changes the policy type from OnlyEnvironments to ExceptEnvironments.
- Moves the Azure Blob Storage connector from the General to the Confidential bucket.
- Moves the Bing Maps connector from the General to the Blocked bucket.
- Moves the Azure Automation connector from the Confidential to the Blocked bucket.
{
"policyId": "1aaaaaa1-2bb2-3cc3-4dd4-5eeeeeeeeee5",
"policyType": "ExceptEnvironments",
"defaultConnectorClassification": "Confidential",
"changeSet": {
"changedProperties": [
{
"name": "ApiPolicyName",
"previousValue": "oldPolicyName",
"currentValue": "newPolicyName"
},
{
"name": "DefaultConnectorClassification",
"previousValue": "General",
"currentValue": "Confidential"
},
{
"name": "DlpPolicyType",
"previousValue": "OnlyEnvironments",
"currentValue": "ExceptEnvironments"
}
],
"connectorChanges": [
{
"name": "Azure Blob Storage",
"id": "/providers/Microsoft.PowerApps/apis/shared_azureblob",
"previousValue": {
"classification": "General"
},
"currentValue": {
"classification": "Confidential"
}
},
{
"name": "Bing Maps",
"id": "/providers/Microsoft.PowerApps/apis/shared_bingmaps",
"previousValue": {
"classification": "General"
},
"currentValue": {
"classification": "Blocked"
}
},
{
"name": "Azure Automation",
"id": "/providers/Microsoft.PowerApps/apis/shared_azureautomation",
"previousValue": {
"classification": "Confidential"
},
"currentValue": {
"classification": "Blocked"
}
}
]
}
}