Learn about investigating data loss prevention alerts

This article introduces you to the alert investigation flow and the tools you can use to investigate DLP alerts.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Before you begin

If you're new to Microsoft Purview DLP, here's a list of the core articles you should be familiar with as you implement your data loss prevention practice:

  1. Administrative units
  2. Learn about Microsoft Purview Data Loss Prevention: The article introduces you to the data loss prevention discipline and Microsoft's implementation of DLP.
  3. Plan for data loss prevention (DLP): By working through this article you will:
    1. Identify stakeholders
    2. Describe the categories of sensitive information to protect
    3. Set goals and strategy
  4. Data Loss Prevention policy reference: This article introduces all the components of a DLP policy and how each one influences the behavior of a policy.
  5. Design a DLP policy: This article walks you through creating a policy intent statement and mapping it to a specific policy configuration.
  6. Create and Deploy data loss prevention policies: Presents some common policy intent scenarios that you map to configuration options. It then walks you through configuring those options, and gives guidance on deploying a policy.
  7. Learn about investigating data loss prevention alerts: This article that you're reading now introduces you to the lifecycle of alerts from creation through final remediation and policy tuning. It also introduces you to the tools you use to investigate alerts.

The lifecycle of a DLP alert

All alerts and your interaction with them go through these six steps:

Trigger

The life of a Microsoft Purview Data Loss Prevention (DLP) alert starts when the conditions defined in the policy are matched. When a policy match occurs, the actions defined in the policy are triggered, which can include generating an alert if the policy is configured to do so.

DLP policies are typically configured to monitor for and generate alerts when:

  • Sensitive information, such as personally identifying data or intellectual property, is exfiltrated from your organization.
  • Sensitive information is shared inappropriately with people outside or inside your organization.
  • Users engage in risky activities, such as downloading sensitive information to removable media.

Notify

When an alert is generated, it's sent to the Microsoft Defender portal as an incident and the DLP alert management dashboard. DLP policies can be configured to send notifications to users, administrators, and other stakeholders via email.

In the notify phase Microsoft Purview:

  • Reports on DLP policy matches and user overrides.
  • You can use Activity explorer to view DLP related activities and filter for report generation purposes.

To export activity data for reporting use Export-ActivityExplorerData (ExchangePowerShell) | Microsoft Doc by using O365 Management Activity API or Incident API.

Note

The Microsoft Defender portal retains incidents for six months. The DLP alert management dashboard retains alerts for 30 days.

Triage

In this step, you analyze an alert and any associated logs and decide if the alert is a true positive or a false positive. If it's a true positive, you set the priority of the alert based on the severity of the issue and its impact on your organization and assign an owner. If it's a false positive, you can unblock the user and move on to the next alert.

Defender portal groups DLP events into incidents. Incidents are a collection of related alerts that are grouped together based on all the other signals that Defender is receiving. For example, when you have a DLP policy configured to monitor and alert on sensitive files on SharePoint sites, and a user downloads a file from a SharePoint site and then uploads it to a personal OneDrive, and then shares it with an external user, Defender groups all of those alerts into a single incident. This is a powerful feature that allows you to focus on the most important alerts first.

In the Defender portal you can immediately start triaging incidents and use tags, comments, and other features to structure your incident management. You should be utilizing the Incidents page in the Microsoft Defender portal to manage your DLP alerts. You can filter the Incidents queue to view all incidents with Microsoft Purview DLP alerts by selecting Filters and choose Service Source: Data Loss Prevention.

If you have enabled sharing of insider risk management data with Microsoft Defender XDR (preview) - you'll see the severity level of the Insider Risk Management policy that is associated with a user in the DLP alerts page. Insider Risk Management severity levels are: Low, Medium, High, and None. You can use this information to prioritize your investigation and remediation efforts. This information will also be available in the Microsoft 365 Defender portal in the details of the incident.

Investigate

The main goal of the investigation stage is for the assigned owner to correlate evidence, determine the cause and full impact of the alert and decide on a remediation plan. The assigned owner is responsible for deeper investigation and remediation of the alert. The primary alert investigation tools are the Microsoft Defender portal and the DLP alert management dashboard. You might also use Activity explorer to investigate alerts. You can also share alerts with other users in your organization.

You can take advantage of DLP features like:

You can use both Microsoft Defender portal and Purview tools to triage and investigate alerts, but the Microsoft Defender portal provides more capabilities for managing alerts and incidents, such as:

  • View all your DLP alerts grouped under incidents in the Microsoft Defender XDR incident queue.
  • View intelligent inter-solution (DLP-MDE, DLP-MDO) and intra-solution (DLP-DLP) correlated alerts under a single incident.
  • Hunt for compliance logs along with security under Advanced Hunting.
  • In-place admin remediation actions on user, file, and device.
  • Associate custom tags to DLP incidents and filter by them.
  • Filter by DLP policy name, tag, Date, service source, incident status, and user on the unified incident queue.

If you're sharing insider risk management data with Defender (preview), you can see the User activity summary of all the exfiltration activities the user has engaged in up to the past 120 days.

Remediate

Your remediation plan is unique to your organization's policies, the industry, the geopolitical regulations it must comply with, and business practices. How your organization chooses to respond to an alert revolves around the accuracy of the alert (true positive, false positive, false negative), the severity of the issue, and the impact on your organization.

Remediation actions can include:

  • Monitor only, no further action required.
  • No further action required because the actions take by the policy sufficiently mitigated the risk.
  • Risk mitigated by automated policy actions but user education is necessary.
  • The issue wasn't fully mitigated by the policy, so further clean up and risk mitigation is required along with more user training.
  • Via Adaptive Protection in Data Loss Prevention (preview) where DLP integrates with Insider Risk Management, you can assign a risk level to the user for further monitoring and actions.

With the Defender portal, you can immediately take remediation actions on alerts and incidents. For example:

  • Reset password
  • Disable account
  • View user activity
  • Actions on DLP detections
  • Remove document
  • Apply sensitivity label
  • Unshare
  • Download email
  • Advanced Hunting
  • Isolate Device
  • Collect investigation pack from Device
  • Run AV Scan
  • Quarantine file
  • Disable user
  • Reset pwd
  • Delete email
  • Move mail to other mailbox folder
  • Download file

Tune

Based on the accuracy and effectiveness of your policy, you might need to update it so it remains effective. You've already tuned your policy during the policy creation and deployment process, but as your data estate and business needs change, policies have to be updated to continue to be effective. These changes are best tracked in the policy intent statement and the policy configuration.

Items you tune:

  • The scope of the policy.
  • The conditions required for a policy match.
  • The actions taken when a policy match occurs.
  • Notifications sent to users and administrators.

For more information about mapping business needs to policy design and testing policies, see:

Toolsets

There are multiple tools that you can use to investigate and manage Microsoft Purview Data Loss Prevention (DLP) alerts. There are:

Microsoft recommends using the unified incident queue in Microsoft Defender portal to manage your DLP alerts. However, your organization may have needs that can be met by using the DLP alert management dashboard in addition to the Microsoft Defender portal.

Microsoft Defender portal

Microsoft Purview compliance portal

  • Alerts dashboard, Activity explorer, and Content explorer are all available in the Microsoft Purview compliance portal. You can summarize alerts using Microsoft Security Copilot Investigate a DLP alert
  • You can set an alert status to Investigating.
  • You can share alerts with other users in your organization.
  • Download files from OneDrive and SharePoint (data classification content viewer role is required for this action)

If you're new to using the DLP Alerts dashboard, you should read through these articles to help you get started.

Next steps