Use DLP analytics (preview) to identify data risks
Data loss prevention (DLP) analytics helps organizations identify potential risks to their data by analyzing how information is being used and shared. It identifies areas where sensitive data might be exposed and gives recommendations to improve security policies. This helps your organization proactively manage data risks and avoid breaches or leaks.
Important
DLP analytics is currently in preview. It might have limited functionality and isn't recommended for production environments. Feedback is encouraged during this preview period, as changes might be introduced in future updates.
Understand DLP analytics
DLP Analytics scans user activities and data-sharing behaviors to detect potential risks. After enabling it, it takes about seven days to gather data and provide recommendations. These insights are updated weekly and help ensure that your DLP policies remain effective over time. It identifies oversharing risks, potential gaps in visibility, and policy improvement opportunities in three ways:
- Risk spotlighting: Shows the top oversharing risks on the DLP overview page within the Microsoft Purview portal. It analyzes the last 30 days of data to show critical areas of concern.
- Policy recommendations: Suggests new policies based on detected risks and best practices, helping you address vulnerabilities with minimal effort.
- Policy improvement suggestions: Provides adjustments to existing DLP policies in the Policy Improvement card, reducing false positives and improving policy effectiveness.
Before you begin
Before you start using DLP analytics, make sure you have the necessary prerequisites in place:
- Licensing: Confirm your Microsoft 365 subscription and any add-ons.
- Permissions: To see DLP analytics, your account must be one of these two roles: Global admin or Compliance Administrator. Microsoft recommends using roles with the fewest permissions to improve security.
Enable DLP analytics
DLP analytics is turned off by default and needs to be manually enabled. It takes seven days for recommendations and insights to appear after activation.
To enable DLP analytics:
Sign in to the Microsoft Purview portal, then navigate to Solutions > Data Loss Prevention > Overview.
Check the box for Turn on analytics for risk detection and policy refinement opportunities (preview).
Select Turn on analytics.
Disable DLP analytics
If you need to turn off DLP analytics, the insights and recommendations will stop appearing after 24 hours. Follow these steps to disable analytics:
In the Microsoft Purview portal, navigate to Settings > Data Loss Prevention > Analytics (preview).
Set the Activate analytics toggle to Off.
View DLP analytics generated policies
DLP analytics can create new policies based on detected risks. Here's how to view them:
In the Microsoft Purview portal, navigate to Solutions > Data Loss Prevention > Policies.
Look for policy names with this format: RiskSpotlighting-YYYY-MM-DD.
DLP analytics updated policies
When DLP analytics suggests updates to an existing policy, a new version of the policy is created with the original policy renamed and turned off. For example:
If a policy named All credit cards generates too many false positives, DLP analytics might suggest changes.
After you accept the suggested changes, the new version will be named All credit cards with its status set to Turn it on. The original policy is renamed All credit cards_copy with its status set to Keep it off.
Microsoft Purview DLP analytics offers a simple way to identify data loss risks and mitigate them through actionable insights and policy recommendations. This tool helps streamline the policy creation process, allowing organizations to quickly improve data protection and minimize vulnerabilities.