Understand DLP alerts and activity tracking

Completed

Data loss prevention (DLP) tools offer the ability to track and manage how sensitive information is shared and accessed across your organization. While creating and enforcing DLP policies is critical, understanding how they perform and identifying potential risks requires analyzing activity and reports generated by these policies.

DLP alerts and activity tracking

DLP tracking in Microsoft Purview helps you stay on top of policy violations and sensitive data movements within your organization. There are two tools for managing this process: the DLP Alerts dashboard and Activity explorer.

The DLP Alerts dashboard in Microsoft Purview allows you to track violations triggered by DLP policies. Alerts provide insights into potential risks and help you fine-tune your policies. Alerts are available in the dashboard for 30 days, during which you can investigate, triage, and track their resolution. For a longer retention period and more advanced incident correlation, alerts are integrated with Microsoft Defender, where they remain accessible for six months.

The Activity explorer offers a broader view of DLP related activities, such as data sharing and egress events. It allows you to track how sensitive data is handled, giving you insight into patterns or trends. This information helps you adjust your DLP policies accordingly.

Investigate DLP alerts

DLP alerts are triggered when users violate your organization's DLP policies. These alerts provide a critical starting point for investigating potential risks and fine tuning your policies.

When an alert is generated, the DLP Alerts dashboard in Microsoft Purview offers a detailed view of the event that caused it. Each alert contains information about the action that triggered it, such as the user involved, the type of sensitive data affected, and relevant metadata.

The steps to investigate DLP alerts typically include:

  • Trigger: A policy match is detected when sensitive data is shared inappropriately or exfiltrated, leading to an alert being generated.

  • Notify: The alert is logged in both the DLP Alerts dashboard and the Microsoft Defender portal. Administrators can configure notifications to be sent to the relevant stakeholders.

  • Triage: In the DLP Alerts dashboard or the Defender portal, admins can triage alerts to determine their severity. For example:

    • Exchange Online: DLP scans new email messages and flags any sensitive information matches.

    • SharePoint/OneDrive: DLP scans both new and existing files and flags any policy violations.

  • Investigate: You can investigate the alert by looking deeper into the details. Use the related metadata, such as timestamps and file locations, to determine whether the violation was accidental or intentional. For correlated incidents that span multiple actions (such as uploading and sharing sensitive data), the Microsoft Defender portal allows you to track and manage these incidents more efficiently.

  • Remediate: Based on the severity of the policy violation, admins can take one or more actions to resolve the issue:

    • Block user access: Prevent the user from continuing the action that triggered the alert by blocking their access to sensitive data. This measure is useful if a user is unintentionally or maliciously attempting to exfiltrate data.

    • Restrict file sharing: Temporarily disable the ability to share sensitive files with external parties or restrict access to specific user groups.

    • Quarantine files: Move sensitive data to a quarantine area where it can be reviewed by security or compliance teams. This prevents unauthorized access while the investigation continues.

    • Apply additional security measures: You can also escalate the response by applying more security controls, like applying a sensitivity label or encrypting the file, to ensure its security.

    • User training and feedback: In some cases, remediation could involve notifying the user of the violation and providing them with guidance on data handling. This action can be an opportunity for education and to reinforce compliance practices.

By following this lifecycle and using the tools available in both the Purview DLP Alerts dashboard and the Microsoft Defender portal, you can manage and respond to potential data loss incidents in your organization.

Track DLP activities with Activity explorer

The Activity explorer provides an in-depth view of user actions that involve sensitive data. It enables you to review activities such as data sharing, modifications, and policy rule matches. You can use preconfigured filters to focus on specific events, such as:

  • Endpoint DLP activities
  • Files containing sensitive info types
  • Egress activities (data copied to external locations)
  • DLP policies that detected activities
  • DLP policy rules that detected activities

Activity explorer is helpful for identifying trends and refining your policies to better protect sensitive data.

Contextual insights and egress tracking

In Activity explorer, you can view the context surrounding a policy match. For example, you can see the text around a detected credit card number and analyze whether the policy accurately captured a true violation. Activity explorer also tracks egress activities, such as copying sensitive data to external devices or cloud services, which helps identify potential exfiltration risks.

For organizations using endpoint DLP, ensure your devices meet the necessary prerequisites, such as the appropriate Windows updates, to access all available insights.

Evaluate DLP activities with PowerShell reports

In addition to reviewing activities directly in Activity explorer, you can use PowerShell to export the data for further analysis. The Export-ActivityExplorerData cmdlet lets you download DLP activity records in bulk, providing the same data available in Activity explorer but with the flexibility of offline access for analysis or reporting.

To access these reports:

  1. Connect to the Security & Compliance PowerShell.

  2. Use the Export-ActivityExplorerData cmdlet to view and export DLP activity data based on filters such as date range, activity type, and more.

This export allows for easier analysis, manipulation, or long-term archiving, giving you greater control over the data.

By regularly reviewing alerts, exploring user activity, and generating detailed reports, you can refine your DLP policies to better address risks and protect sensitive data.