Delen via


Learn about evidence collection for file activities on devices

When you're investigating a Microsoft Purview Data Loss Prevention (DLP) incident or troubleshooting a DLP policy, it can be helpful to have a complete copy of the item that matched the policy to refer to. DLP can copy the item that matches a DLP policy from onboarded Windows devices to an Azure storage account. DLP incident investigators and administrators that have been granted the appropriate permissions on the Azure storage blob can then access the files.

To get started configuring and using the feature, see Get started with collecting files that match data loss prevention policies from devices.

Tip

Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.

If you're new to Microsoft Purview DLP, here's a list of the core articles you need as you implement DLP:

  1. Administrative units
  2. Learn about Microsoft Purview Data Loss Prevention - This article introduces you to the data loss prevention discipline and Microsoft's implementation of DLP.
  3. Plan for data loss prevention (DLP) - by working through this article you will:
    1. Identify stakeholders
    2. Describe the categories of sensitive information to protect
    3. Set goals and strategy
  4. Data Loss Prevention policy reference - This article introduces all the components of a DLP policy and how each one influences the behavior of a policy.
  5. Design a DLP policy - This article walks you through creating a policy intent statement and mapping it to a specific policy configuration.
  6. Create and Deploy data loss prevention policies - This article presents some common policy intent scenarios that you'll map to configuration options, then it walks you through configuring those options.

Where evidence collection for file activities on devices fits in Purview

Endpoint DLP is part of the larger DLP offering and part of the larger range of services offered in Microsoft Purview. You should understand how evidence collection for file activities on devices fits into the larger set of service offerings.

Evidence collection for file activities on devices and eDiscovery

This feature makes copies of items that match DLP policies on onboarded Windows devices and places those copies in an Azure storage account. These copies aren't held in a changeless state and aren't evidence in the legal sense of the term. If you need to find and hold items for legal purposes, you should use the Microsoft Purview eDiscovery solutions. Electronic discovery, or eDiscovery, is the process of identifying and delivering electronic information that can be used as evidence in legal cases.

Evidence collection for file activities on devices and contextual summary

When an item and the activity that a user takes on that item match the conditions defined in a DLP policy, a DLPRuleMatch event shows up in Activity explorer. This is true for every location that DLP supports. The DLPRuleMatch event contains a limited amount of the text that surrounds the matched content. This limited amount of text is called contextual summary.

It's important to understand the difference between evidence collection for file activities on devices and a contextual summary. Evidence collection for file activities on devices is only available for onboarded Windows devices. It saves a copy of the entire item that matched a policy to the Azure storage account. A contextual summary is captured for every DLP policy rule match and only contains a limited amount of the text that surrounds the target text that triggered the match.

Covered user activities

You can configure evidence collection for file activities on devices to save a copy of a matched item to the Azure storage account when a user attempts to do one of these activities on a matched item:

  • Copy to a removable USB
  • Copy to network share
  • Print
  • Copy or move using unallowed Bluetooth app
  • Copy or move through RDP
  • Upload to cloud service domains or access from an unallowed browser
  • Paste to supported browsers

The detection of these activities is configured in the DLP policy. For more information on how to create a DLP policy, see, Create and Deploy data loss prevention policies and Using Endpoint data loss prevention.

Covered actions

When you enable evidence collection for file activities on devices in Endpoint DLP settings and configure a DLP policy to use this feature, it saves a copy of a matched item for these actions:

  • Audit only
  • Block with override
  • Block

These actions are configured in the DLP policy. For more information on how to create a DLP policy, see Create and Deploy data loss prevention policies and Using Endpoint data loss prevention.

Design considerations

Regions for your Azure Storage accounts

To comply with regulatory requirements, make sure that the Azure storage accounts that you use are in the same geopolitical or regulatory boundaries as the devices that they're being copied from. Also, be aware of the geopolitical location of the DLP investigators who will access the sensitive items once they're saved. Consider using Administrative units to scope the administration of the users and devices appropriately for each DLP policy. To learn how to use data loss prevention to comply with data privacy regulations, see Deploy information protection for data privacy regulations with Microsoft Purview. Evidence collection for file activities on devices supports up to 10 Azure storage accounts.

To learn how to use data loss prevention to comply with data privacy regulations, see Deploy information protection for data privacy regulations with Microsoft Purview.

Local storage and bandwidth

By default, copies of matched items are saved asynchronously to the configured Azure storage account over the existing network connection. If the device doesn't have connectivity, matched items are save locally, up to the 500-MB limit. You can save items locally up to 60 days.

While the device has connectivity to the Azure storage account URL, there's no limit on bandwidth usage. The bandwidth that evidence collection for file activities on devices uses doesn't affect the default or configured bandwidth limits for Advanced classification scanning and protection.

Azure storage accounts

Customers are responsible for creating and managing their own Azure storage accounts. If you're new to Azure storage, see:

Items that match a policy are copied from the users' device to the Azure storage account blob in the security context of the logged in user. So, all users who are in-scope for the policy must have read and write permission to the blob storage. For more information, see Get started with collecting files that match data loss prevention policies from devices

Similarly, all administrators who are reviewing the saved items must have read permission to the Azure storage account blob. For more information, see Get started with collecting files that match data loss prevention policies from devices.

Storing evidence when sensitive information is detected (preview)

Supported file types

For more information on supported file types, see Supported file types for storing and previewing evidence.

Supported storage types

You have two options for storing the evidence Purview collects when it detects sensitive information in your content. You can use a Customer-managed data store, or a Microsoft Managed data store (preview). The option you should use depends on your requirements and your use cases. To help you decide, review the comparison table that follows.

Storage type comparison

Matched files continue to be included in alert results even after changing your storage type as long as the role-based access control (RBAC) permissions remain intact. Since customer managed storage is owned by customers, DLP admins can continue to download files directly from the storage on a per-file basis.

The following table identifies the differences between customer-managed storage and Microsoft-managed storage for collecting evidence of the sensitive information detected in your content.

Feature Element Customer Managed Microsoft Managed (preview)
File retention You can keep files as long as you need/want to. Files are retained for a maximum of 120 days.
Endpoint settings You must add blob storage (container URLs) in the endpoint settings and then use the Microsoft Entra admin center to configure explicit user permissions on the blob for in-scope users. All configuration and permissions are handled with a single click when configuring your endpoint settings.
Policy and location configuration You must add and configure storage blobs on a per-policy basis for each location where a policy is applied. No storage selection is needed for specific policy locations.
Data store location/region Chosen by the customer The same region as your Microsoft Purview tenant.
Charges Storage costs are charged in addition to the cost of your Entra subscription. Storage cost today is included in E5. However, Microsoft will monitor storage usage and may charge additionally based on excessive usage. This will be communicated to customers separately should there be a change in the business model.
Network configuration You must allow the container URLs for your storage blobs to pass through your network firewall. You must include compliancedrive.microsoft.com on an "allow" list, so that it can pass through the network firewall.

Changing storage types

Customers can switch between storage types at any time. However, best practice is to carefully plan for the type of storage you'll need over the long term and select the appropriate option for your use case. For more information on the differences between the two types of storage, see the Storage type comparison table.

Note

When switching storage types, you'll need to refresh your policies to ensure that they are applied to the files in the new data store.

Impact of changing storage types on evidence files

Matched files continue to be included in alert results, even after you change the storage management type, provided that the role-based access control (RBAC) permissions do not change.

Because you own your customer-managed storage solution, your DLP admins can continue to download files directly on a per-file basis after they have been moved to the Microsoft-managed storage solution.

Next step

Your next step is to configure evidence collection for file activities on devices.

For more information, see Get started with collecting files that match data loss prevention policies from devices.