Get started with the data loss prevention analytics
Microsoft Purview data loss prevention (DLP) analytics helps customers understand top data protection risks, blind spots, and policy and posture improvement opportunities in their organization. It can help you investigate these risks using intelligent Purview features, and mitigate them in a few simple steps.
This article introduces the concepts you need to be familiar with. Then, it walks you through the prerequisites and configuration steps you perform to start using DLP analytics.
Tip
Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.
DLP analytics shows customers their top data loss risks and vulnerabilities and how to mitigate them through new or improved policies. It does this in three ways:
- It communicates the top item oversharing risks through the Risk Spotlighting card on the DLP overview page in the Microsoft Purview portal. Analytics reports on top risks, blind spots, and policy improvement opportunities based on past 30 days data.
- Help prevent users from sharing additional sensitive information externally by creating new DLP policies with one click. Policy creation recommendations are based on industry best practices and risks found in the tenant.
- Improve the accuracy of existing policies via the Policy Improvement card with one click.
Risks and recommendations are refreshed every week.
When DLP analytics is enabled, it scans signals on user activity, sensitive data sharing patterns, and policy information to generate insights that help you set up and refine DLP policies. It takes seven days to generate recommendations after you turn on DLP analytics.
Before you begin
Licensing
Before you start using DLP policies, confirm your Microsoft 365 subscription and any add-ons.
For information on licensing, see Microsoft 365, Office 365, Enterprise Mobility + Security, and Windows 11 Subscriptions for Enterprises.
Permissions
To see DLP analytics your account must be one of these two roles:
- Global admin
- Compliance Administrator
Important
Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should only be used in scenarios where a lesser privileged role can't be used.
Enable DLP risk-detection analytics
Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.
DLP analytics is turned Off by default. You need to explicitly opt in. Scans run every hour on your data present in audit logs and policy data.
Note
It takes seven days to start seeing analytics and recommendations in your tenant once analytics are re-enabled.
Sign in to the Microsoft Purview portal > Data loss prevention > Overview
Check the Turn on analytics for risk detection and policy refinement opportunities (preview) option.
Select Turn on analytics
Disable DLP analytics
After disabling DLP analytics, it can take up to 24 hours for the insights to stop appearing on the Data loss prevention Overview page.
Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.
After disabling, it can take up to 24 hours for the insights to stop appearing on the Data loss prevention Overview page.
Sign in to the Microsoft Purview portal > Settings (gear in the menu bar) > Data Loss Prevention > Analytics (preview).
Set the Activate analytics toggle to Off.
Viewing DLP Analytics created policies
Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.
Sign in to the Microsoft Purview portal > Data Loss Prevention > Policies.
Look for policy names in this format: RiskSpotlighting-YYYY-MM-DD.
DLP analytics updated policies
When you tell DLP analytics to update an existing policy, it makes all updates in a new version of the policy. The name of the original policy is appended with _copy and the original policy is turned off. The new version is then deployed. For example:
- There's a policy named All credit cards that is generating too many false positives.
- DLP analytics suggests changes to the policy to reduce false positives.
- You tell DLP analytics to update the policy.
- DLP analytics creates a new version of the policy named All credit cards
- DLP analytics renames the original version of the policy to All credit cards_copy and sets its status to Keep it off.
- DLP analytics deploys the new version of the policy named All credit cards and sets it status to Turn it on.