Re: Microsoft Purview Advanced Data Loss Prevention (DLP) Incident Search (2023)

1. Introduction

Microsoft 365 Defender is the Microsoft recommended experience for investigating and remediatingMicrosoft Purview Data Loss Prevention(DLP) incidents. See the previously published step-by-step guide forlearn how to investigate the Microsoft Purview Data Loss Prevention alert in Microsoft 365 Defender.

As part of the investigative capabilities available in Microsoft 365 Defender,advanced huntingProvides the ability to query raw compliance and security data signals generated by Microsoft 365 to proactively detect known and potential risks in your organization, as well as visualize the attack chain.Advanced search can jumpstart your investigation workflow and help you learn more about the types of alerts you receive on your property. This blog provides guidance on how to get started and take advantage of advanced search for Microsoft Purview DLP investigations. We're sharing example queries for high-value scenarios to help you get started.

2. Introduction

Prerequisite: Get the required CloudAppEvents table, which contains the Microsoft Purview data, to appear in Advanced Hunting byfollowing these steps to integratecom Microsoft 365.

  1. To access advanced search, go to click onadvanced huntingin the left navigation pane.

Re: Microsoft Purview Advanced Data Loss Prevention (DLP) Incident Search (1)

(Video) Data Loss Prevention and Endpoint DLP

  1. Under Advanced Hunting, select the time range for the query.

Re: Microsoft Purview Advanced Data Loss Prevention (DLP) Incident Search (2)

  1. On the left side you have all available tables, the details of each of these tables areavailable here. In this post, we provide examples of what you can do withCloudAppEventsmesa.
  2. Queries in advanced search are based on the KUSTO query language. for an introductionread this.
  3. After entering the query click,run query.
  4. There isintegrated viewswithin the product, to make the data easier to consume. In the example below, we aresummarizing alerts based onconfidentialInformationtypesand rendering the results as a pie chart. Views like this can help you quickly tell if any of your SITs are over-represented in the alert flow (see command | render pie chart).

Re: Microsoft Purview Advanced Data Loss Prevention (DLP) Incident Search (3)

3. Scenarios/Samples using advanced search

Get DLP alerts for a given user (summarized by document, subject and sensitive information type match)

This query will return DLP alerts for a user and summarize them based on the affected content. This can be used to understand risky activities. Is the user actively trying to defeat the controls by sending the content in different ways?

Replace username.

let user = ('');CloudAppEvents| onde ActionType tem "DLPRuleMatch" ou ActionType tem "DLPRuleUndo"| onde tolower(usuário) == tolower(RawEventData.UserId) | extend PolicyName_ = tostring(parse_json(tostring(RawEventData.PolicyDetails))[0].PolicyName)| extend SensitiveInformationTypeName_ = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(RawEventData.PolicyDetails))[0].Rules))[0].ConditionsMatched)).SensitiveInformation))[0].SensitiveInformationTypeName) | extend FileName_ = tostring(parse_json(tostring(RawEventData.SharePointMetaData)).FileName)| extend RuleName_ = tostring(parse_json(tostring(parse_json(tostring(RawEventData.PolicyDetails))[0].Rules))[0].RuleName)| extend Severity_ = tostring(parse_json(tostring(parse_json(tostring(RawEventData.PolicyDetails))[0].Rules))[0].Severity)| extend Attachments_ = tostring(parse_json(tostring(RawEventData.Item)).Attachments)| extend Recipients = strcat("To:",RawEventData.ExchangeMetaData.To, " CC:",RawEventData.ExchangeMetaData.CC," BCC:",RawEventData.ExchangeMetaData.BCC) | extend SharePointMetaData_SiteCollectionUrl_s = tostring(parse_json(tostring(RawEventData.SharePointMetaData)).SiteCollectionUrl)| extend Documents = iff(isempty(FileName_), Attachments_, FileName_) | join kind = leftouter ( CloudAppEvents | where RawEventData.Operation == "SecureLinkUsed" ou RawEventData.Operation == "AddedToSecureLink" | extend SourceFileName = tostring(RawEventData.SourceFileName) | extend SharePointMetaData_SiteCollectionUrl_s = tostring(RawEventData.SiteUrl)| extend UserId = tostring (RawEventData.UserId) | estender TargetUserOrGroupName = tostring(RawEventData.TargetUserOrGroupName) | resumir por SharePointMetaData_SiteCollectionUrl_s,SourceFileName,TargetUserOrGroupName | resumir TargetUserOrGroupName = make_list(strcat(TargetUserOrGroupName)) por SharePointMetaData_SiteCollectionUrl_s,Sou rceFileName | resumir take_any(TargetUserOrGroupName) por SourceFileName,SharePointMetaData_SiteCollectionUrl_s|project SourceFileName, SharePointMetaData_SiteCollectionUrl_s, TargetUserOrGroupName ) em SharePointMetaData_SiteCollectionUrl_s | extend TargetUsers = iff(isnotempty(tostring(TargetUserOrGroupName)), tostring(TargetUserOrGroupName), Destinatários)| extend Subject = tostring(parse_json(tostring(RawEventData.ExchangeMetaData)).Subject)| extend PolicyName_EndPoint = tostring(parse_json(tostring(RawEventData.PolicyDetails))[0].PolicyName)| extend PolicyName = iff(isempty(PolicyName_), PolicyName_EndPoint, PolicyName_) | extend Workload = tostring(RawEventData.Workload)| extend Object = tostring(RawEventData.ObjectId)| join kind=leftouter(CloudAppEvents| onde ActionType tem "DLPRuleMatch" ou ActionType tem "DLPRuleUndo"| onde RawEventData.Workload tem "Endpoint"| extend SensitiveInfoTypeName_ = tostring(parse_json(tostring(parse_json(tostring(RawEventData.EndpointMetaData)).SensitiveInfoTypeData) )[0].SensitiveInfoTypeName)| extend EndPointFile = tostring(RawEventData.ObjectId)| project EndPointFile,SensitiveInfoTypeName_)on $left.Object == $right.EndPointFile| extend Documents = iff(isempty(Documents), EndPointFile, Documents) | extend SensitiveInformationType = iff(isempty(SensitiveInformationTypeName_), SensitiveInfoTypeName_, SensitiveInformationTypeName_) | extend EndpointOperation_ = tostring(parse_json(tostring(RawEventData.EndpointMetaData)).EndpointOperation)| extend TargetDomain = tostring(parse_json(tostring(RawEventData.EndpointMetaData)).TargetDomain)| extend Target = iff(isempty(tostring(TargetDomain)), TargetUsers, tostring(TargetDomain)) | projeto Timestamp,ActionType,Workload,PolicyName,SensitiveInformationType,Documents,Target,Subject,EndpointOperation_,Severity_| resumir arg_max(Timestamp, *) por Workload,PolicyName,SensitiveInformationType,Documents,Target| projeto Timestamp,ActionType,Workload,PolicyName,SensitiveInformationType,Documents,Target,Subject,EndpointOperation_,Severity_| classificar por carimbo de data/hora

Re: Microsoft Purview Advanced Data Loss Prevention (DLP) Incident Search (4)

Identify who has access or has accessed a document in SharePoint or OneDrive for Business

This query will return information from SharePoint Online and OneDrive for Business based on the time range defined in the advanced search. It will return external accessand file sharing historyeyou canto chooseowith whom certain files were shared for SharePoint and OneDrive DLP alerts.

(Video) Introduction to Microsoft Purview Data Loss Prevention

Replace the user account with the account that triggered the DLP Policy, replace the file name with the document name.

deixe documento = "nome do arquivo"; deixe o usuário = ('useraccount'); let DLP = ( CloudAppEvents | where RawEventData.Workload in ('SharePoint', 'OneDrive') | where ActionType == "DLPRuleMatch" | extend FilePathUrl_ = url_decode(tostring(RawEventData.SharePointMetaData.FilePathUrl)) | extend path = parse_path(FilePathUrl_ ) | where path.Filename has document | extend DirectoryPath = tostring(path.DirectoryPath) | resumir por DirectoryPath );let officedata = ( CloudAppEvents | where RawEventData.Operation == "SecureLinkUsed" or RawEventData.Operation == "AddedToSecureLink" | extend ObjectId_ = tostring(RawEventData.ObjectId) | where ObjectId_ has_any (DLP) | estender SharePointMetaData_SiteCollectionUrl = tostring(RawEventData.SiteUrl) | estender SharePointMetaData_FileName = tostring((RawEventData.SourceFileName)) | estender Conta = tostring(RawEventData.UserId) | estender Targetsplit = split(Account, "#") | extend TargetUserOrGroupName = iff(isempty(RawEventData.TargetUserOrGroupName), Targetsplit[1], RawEventData.TargetUserOrGroupName) //Excluir domínios internos se necessário //| onde TargetUserOrGroupName !tem "" | estender TargetUserOrGroupName = tolower(TargetUserOrGroupName) | resumir por SharePointMetaData_FileName, SharePointMetaData_SiteCollectionUrl, TargetUserOrGroupName, ObjectId_, Account);let dlpmain = ( CloudAppEvents | where ActionType == "DLPRuleMatch" | where RawEventData.Workload == "OneDrive" or RawEventData.Workload == "SharePoint" | estender FilePathUrl_ = url_decode (tostring(RawEventData.SharePointMetaData.FilePathUrl)) | extend path = parse_path(FilePathUrl_) | onde path.Filename tem documento | extend Account = tostring(RawEventData.UserId) | onde Account tem usuário | extend ObjectId_ = url_decode(tostring(ObjectName) ) | extend SharePointMetaData_SiteCollectionUrl = tostring((RawEventData.SharePointMetaData.SiteCollectionUrl)) | where tolower(RawEventData.UserId) == tolower(Account) | where RawEventData.Workload in ('SharePoint', 'OneDrive') | extend SourceFileName = tostring( RawEventData.SourceFileName) );let folder = (dlpmain | tipo de junção = leftouter (officedata | resumo por SharePointMetaData_SiteCollectionUrl, SharePointMetaData_FileName, TargetUserOrGroupName, ObjectId_ | resumir TargetUserOrGroupName = make_list(strcat(TargetUserOrGroupName)) por ObjectId_, SharePointMetaData_SiteCollectionUrl, SharePointMetaData_FileName | resumir take_any(TargetUserOrGroupName) por ObjectId_, SharePointMetaData_SiteCollectionUrl, SharePointMetaData_FileName | join kind = leftouter ( officedata | resumir por SharePointMetaData_SiteCollectionUrl, SharePointMetaData_FileName, TargetUserOrGroupName, ObjectId_ | estender Domsplit = split(TargetUserOrGroupName, "@") | estender domínio = Domsplit[1] | resumir TargetDomain = make_list(strcat(domínio)) por SharePointMetaData_FileName, ObjectId_ | resumir take_any(TargetDomain) por SharePointMetaData_FileName, ObjectId_ ) em ObjectId_ ) em ObjectId_ );let files = (pasta //| where TargetUserOrGroupName == "" | join kind = leftouter (officedata | resumir TargetUserOrGroupName = make_list(strcat(TargetUserOrGroupName) ) por SharePointMetaData_FileName, SharePointMetaData_SiteCollectionUrl | resumir take_any(TargetUserOrGroupName) por SharePointMetaData_FileName, SharePointMetaData_SiteCollectionUrl | join kind = leftouter ( officedata | resumir por SharePointMetaData_SiteCollectionUrl, SharePointMetaData_FileName, TargetUserOrGroupName | estender Domsplit = split(TargetUserOrG roupName, "@") | estender domínio = Domsplit[1] | resumir TargetDomain = make_list(strcat(domain)) por SharePointMetaData_FileName | resumir take_any(TargetDomain) por SharePointMetaData_FileName ) em SharePointMetaData_FileName ) em SharePointMetaData_FileName, SharePointMetaData_SiteCollectionUrl | estender TargetUserOrGroupName = TargetUserOrGroupName1 | estender TargetDomain = TargetDomain1 | onde TargetUserOrGroupName != "" ); pasta de união, arquivos| extend FileName = tostring(parse_json(tostring(RawEventData.SharePointMetaData)).FileName)| resumir arg_max(Timestamp, *) por ObjectId_, Conta, tostring(RawEventData.Id)| extend FileNameEncoded = url_encode(FileName)| extend MDALink = (strcat('',FileNameEncoded,')')) //Use este link para visualizar operações mais antigas diretamente do Microsoft Defender for Cloud Apps | timestamp do projeto,FileName,Target= TargetUserOrGroupName,SPOD_Path = ObjectId_,RawEventData,MDALink| classificar por carimbo de data/hora

Re: Microsoft Purview Advanced Data Loss Prevention (DLP) Incident Search (5)

Understand the applications, devices used by the user in relation to the sensitive data processed

This query will return endpoint events generated by a specific user. It provides a more complete picture when investigating an endpoint DLP event. Update the query by replacing the user's email.

let User = ("");let AppEvents = (CloudAppEvents| where parse_json(tostring(RawEventData.SensitiveInfoTypeData)) != ""| where parse_json(tostring(RawEventData.SensitiveInfoTypeData)) != "[]" | extend sit = parse_json(tostring(RawEventData.SensitiveInfoTypeData))| mv-expand sit| extend UserId = tolower(RawEventData.UserId)| extend SensitiveInfoTypeName = tostring(sit.SensitiveInfoTypeName)| extend document = tostring(RawEventData.ObjectId)); AppEvents| onde UserId == Usuário| extend ObjectId = tostring(RawEventData.ObjectId)| extend DeviceName = tostring(RawEventData.DeviceName)| extend Application = tostring(RawEventData.Application)| resumir count = count() por documento,Aplicativo,SensitiveInfoTypeName,ActionType,DeviceName|ordem por ActionType

Re: Microsoft Purview Advanced Data Loss Prevention (DLP) Incident Search (6)

Identify what actions were performed on a document and the associated sensitivity label.

This query will return all activities on the endpoint, SharePoint, Exchange for your document. Also returns the guid of the label applied to the content. Since the same filename can be used for different documents, you may need to add additional filters to ensure you only return your file. Update the query by adding the file name.

deixe document = "sample.txt";CloudAppEvents// para acelerar a execução da consulta e remover possíveis correspondências falsas, use os filtros abaixo.//| where tolower(RawEventData.UserId) == "seuusuá"//| onde RawEventData.Sha256 == "52eb73d06b265f3e6cfeca5477ea22efc300ab42514635ed20d18e77272ff125"//| onde RawEventData.ListItemUniqueId == "6c8306d8-2e84-40a4-b39a-4841bfac1c82"| pesquisar documento| extend Users = tostring(RawEventData.UserId) | extend LabelGUID1 = parse_json(tostring(RawEventData.SensitivityLabelEventData)).SensitivityLabelId | estender LabelGUID2 = iff(isempty(tostring(RawEventData.LabelId)), LabelGUID1, tostring(RawEventData.LabelId)) | extend LabelGUID3 = iff(isempty(tostring(RawEventData.SensitivityLabelId)), LabelGUID2, tostring(RawEventData.SensitivityLabelId)) | extend OldSensitivityLabelId = tostring(parse_json(tostring(RawEventData.SensitivityLabelEventData)).OldSensitivityLabelId) | extend LabelGUID = iff(isempty(tostring(LabelGUID3)),OldSensitivityLabelId, tostring(LabelGUID3)) | projeto Timestamp,ActionType,Usuários,CountryCode,LabelGUID,ReportId,RawEventData| classificar por carimbo de data/hora

Identify people who joined a Teams meeting that violated a policy

This query will return the list of people who joined the team meeting you specify. Teams results can sometimes arrive a few hours after completion. Replace the subject.

(Video) Endpoint DLP and DLP Incident Management

//Atualizar o Assunto da reunião let subject = ("Reunião Super Secreta"); CloudAppEvents //| onde RawEventData.Operation == "MeetingParticipantDetail" | onde ActionType == "Mensagem enviada" | extend ChatName_ = tostring(RawEventData.ChatName) | onde ChatName_ tem assunto| estender ChatThreadId_ = tostring(RawEventData.ChatThreadId) | join kind=inner ( CloudAppEvents | where RawEventData.Operation == "MeetingDetail" | extend ChatThreadId_ = tostring(RawEventData.ChatThreadId) | extend meetid = tostring(RawEventData.Id) ) em ChatThreadId_ | extend Meeting = tostring(parse_json(tostring(parse_json(tostring(RawEventData.ExchangeMetaData)).To))[0]) | extend HasForeignTenantUsers_ = tostring(parse_json(tostring(RawEventData.ParticipantInfo)))| projeto meetid,ChatName_,HasForeignTenantUsers_| join kind=inner ( CloudAppEvents | where RawEventData.Operation == "MeetingParticipantDetail" | estender meetid = tostring(RawEventData.MeetingDetailId) ) em meetid| extend UPN = tostring(parse_json(tostring(RawEventData.Attendees))[0].UPN)| extend RecipientType = tostring(parse_json(tostring(RawEventData.Attendees))[0].RecipientType)| resumir por UPN,AccountDisplayName,RecipientType,ChatName_,Timestamp,HasForeignTenantUsers_

Identify external user access to the Teams channel that violated the DLP policy

This query will return the details of a Teams channel. It will also let you know if there are external users associated with the channel. Update the query by substituting the Teams name.

//Atualizar a equipe usada pelo Teamvarlet Teamvar = ("The eDiscovery Team");CloudAppEvents| onde Aplicativo == "Microsoft Teams"| extend TeamName = tostring(RawEventData.TeamName)| onde TeamName == Teamvar| extend UPN_ = tostring(parse_json(tostring(RawEventData.Members))[0].UPN)| extend GroupId = tostring(RawEventData.AADGroupId)//adicione abaixo para incluir a adição de usuários//| onde ActionType == "MemberAdded"| extend HasGuestUsers = tostring(parse_json(tostring(RawEventData.ParticipantInfo)).HasGuestUsers)| extend HasUnauthenticatedUsers = tostring(parse_json(tostring(RawEventData.ParticipantInfo)).HasUnauthenticatedUsers)| resumir por TeamName,ActionType,HasGuestUsers,HasUauthenticatedUsers,UPN_

Type of data processed in different regions

If you have a type of sensitive information that should only be processed in a specific geographic region, you can use this query to identify. We are using location data coming from Microsoft Defender for Cloud Apps. You can also set up an alert based on this.

let AppEvents = (CloudAppEvents| where parse_json(tostring(RawEventData.SensitiveInfoTypeData)) != ""| where parse_json(tostring(RawEventData.SensitiveInfoTypeData)) != "[]"| extend sit = parse_json(tostring(RawEventData.SensitiveInfoTypeData)) //Expand all sensitive information types on separate lines| mv-expand sit| extend SensitiveInfoTypeName = tostring(sit.SensitiveInfoTypeName)| extend document = tostring(RawEventData.ObjectId)); AppEvents | extend city = City | extend country = CountryCode | extend Level = SensitiveInfoTypeName| summarize count() by level, city, country

Translation table for sensitivity labels for reporting richness

When working with SharePoint and OneDrive cases, it can be nice to be able to add the labels or label changes made to a document. This example lets you convert the GUIDs to the actual names of the labels. It takes a little more work to get the GUIDs.

  1. Conecte-se ao SCC PowerShell (Connect-IPPSsession)
    1. Executar get-label | selecione immutableid,DisplayName,"," | convertto-csv
    2. copy the output

Re: Microsoft Purview Advanced Data Loss Prevention (DLP) Incident Search (7)

  1. Replace your output with the example below in the data table. This allows you to go a little deeper and identify the output of the labeled content with the actual label name. Update the document variable below for the document you are investigating.
let document = "doc";let Labels = datatable(LabelGuid:string,LabelName:string)["defa4170-0d19-0005-0000-bc88714345d2","Personal","defa4170-0d19-0005-0001-bc88714345d2"," Public","defa4170-0d19-0005-0002-bc88714345d2","General","defa4170-0d19-0005-0003-bc88714345d2","Anyone (no restrictions)","defa4170-0d19-0005-0004-bc88714345d 2", "All Employees (No Restrictions)","defa4170-0d19-0005-0005-bc88714345d2","Confidential","defa4170-0d19-0005-0006-bc88714345d2","Anyone (No Restrictions)", "defa4170-0d19-0005- 0007-bc88714345d2","All Employees","defa4170-0d19-0005-0008-bc88714345d2","Trusted Persons","6a6067cf-b972-45c0-a5ee-1ac16535698b"," finance ","defa4170-0d19-0005 - 0009-bc88714345d2","Highly Confidential","defa4170-0d19-0005-000a-bc88714345d2","All Employees","defa4170-0d19-0005-000b-bc88714345d2"," Specified Persons","44867fba-10b9- 43b0 -a00b-2672e310b2e3","DKE1",];CloudAppEvents| search document| extend Users = tostring(RawEventData.UserId) | extend LabelGUID1 = parse_json(tostring(RawEventData.SensitivityLabelEventData)).SensitivityLabelId | extend LabelGUID2 = iff(isempty(tostring(RawEventData.LabelId)), LabelGUID1, tostring(RawEventData.LabelId)) | extend LabelGUID3 = iff(isempty(tostring(RawEventData.SensitivityLabelId)), LabelGUID2, tostring(RawEventData.SensitivityLabelId)) | extend OldSensitivityLabelId = tostring(parse_json(tostring(RawEventData.SensitivityLabelEventData)).OldSensitivityLabelId) | extend LabelGuid = iff(isempty(tostring(LabelGUID3)),OldSensitivityLabelId, tostring(LabelGUID3)) | join kind= inner(Labels)on LabelGuid| project Timestamp,ActionType,Users,CountryCode,ReportId,RawEventData,LabelName,RawEventData.ObjectId| sort by timestamp

You can configure an alert based on the volume of a specific label to determine if a user is moving a large amount of externally labeled data as an example.Parameters to consider are the type of activity (eg file upload or file print), number of activities, file size and time interval.

Use built-in advanced functions to understand anomalies in your DLP data

Foranomaly detection and predictionemachine learningKusto also built this. It can help you analyze irregular patterns and trigger alerts based on that. It can also be used to validate that services are behaving as expected. In the example below, we are identifying anomalies in the number of DLP alerts. You can do the same with using sensitive content and labels to find outliers in your processing.

(Video) What is Data Loss Prevention in Microsoft 365? Here's what you need to know!

let data = (CloudAppEvents| where ActionType == "DlpRuleMatch"| extend UserId = tostring(RawEventData.UserId)| resumir EventCount=count() by UserId, bin(Timestamp,30m)| order by Timestamp| resumir EventCount=make_list(EventCount ),TimeGenerated=make_list(Timestamp) by UserId| extend outliers=series_decompose_anomalies(EventCount)| mv-expand TimeGenerated, EventCount, outliers| onde outliers == 1| distinto UserId);CloudAppEvents| extend UserId = tostring(RawEventData.UserId)| onde UserId em (dados)| extend ChartName = strcat(UserId)| resumir EventCount=count() por ChartName,bin(Timestamp, 30m)| gráfico de tempo de renderização

Re: Microsoft Purview Advanced Data Loss Prevention (DLP) Incident Search (8)

4. Conclusion

AdvancedhgraduallyIt isa powerful tool that can support yourday by dayinvestigations. These examples of complaintseshe canhelp you get started. You cancustomize these queries tosuityouroperational environment. To useyour knowledge to createcustom detection ruleseuse the built-depending onsforhunt andlearn more aboutriskstandardsin your environment.

Additional Resources:

  • Learn More About Data Loss Prevention - Microsoft Purview (Compliance) | Microsoft Learn
  • Investigate data loss incidents with Microsoft 365 Defender | Microsoft Learn
  • Overview - Advanced Hunting | Microsoft Learn
  • Guidance for investigating Microsoft Purview data loss prevention incidents - Microsoft Community Hu...
  • Learn how to investigate Microsoft Purview Data Loss Prevention alerts in Microsoft 365 Defender - M...

As always, we look forward to your feedback!


Equipe Microsoft Purview Data Loss Prevention.

(Video) Microsoft Endpoint DLP: Policy Match Alerts


Does Microsoft have a DLP solution? ›

DLP is just one of the Microsoft Purview tools that you'll use to help protect your sensitive items wherever they live or travel.

What is the first step that should be considered in a data loss prevention DLP program? ›

The first step in any DLP program is to determine which data would cause the biggest problem were it stolen. Manufacturing companies might choose to prioritize intellectual property such as design documents in their DLP efforts, particularly those for future products.

Which three portals can you use to view the DLP alerts? ›

The DLP alert management dashboard, in the Microsoft Purview compliance portal, shows alerts for DLP policies on these workloads:
  • Exchange.
  • SharePoint.
  • OneDrive.
  • Teams.
  • Windows 10 devices.
Feb 28, 2023

What can DLP detect? ›

DLP enables businesses to detect data loss, as well as prevent the illicit transfer of data outside the organization and the unwanted destruction of sensitive or personally identifiable data (PII).

How does DLP work in Microsoft? ›

Policies that are defined within Office 365 will govern data and send notifications when someone violates a rule. The DLP feature in Office 365 will automatically classify data and use the set policies to stop an email from being sent and block unauthorized access to classified content.

What does Microsoft DLP do? ›

Data loss prevention is a security solution that identifies and helps prevent unsafe or inappropriate sharing, transfer, or use of sensitive data. It can help your organization monitor and protect sensitive information across on-premises systems, cloud-based locations, and endpoint devices.

What are the 3 main objectives being solved by DLP? ›

Data loss prevention solves three main objectives that are common pain points for many organizations: personal information protection / compliance, intellectual property (IP) protection, and data visibility.

What are the three stages of DLP? ›

Typically the DLP does this in three steps; identifying where and when the data was lost, identifying what data was lost, and then resecuring the remaining data.

What are the two types of DLP? ›

Network DLP: monitors and protects all data in use, in motion or at rest on the company's network, including the cloud. Endpoint DLP: monitors all endpoints, including servers, computers, laptops, mobile phones and any other device on which data is used, moved or saved.

What triggers a DLP incident? ›

As an administrator, you can use data loss prevention (DLP) to control what sensitive information users can share. A DLP incident occurs when a DLP rule is broken. For example, a document that contains a personal identification number gets shared externally.

What is an example of DLP system? ›

For example, an Intrusion Detection System (IDS) can alert about attacker attempts to access to sensitive data. Antivirus software can prevent attackers from compromising sensitive systems. A firewall can block access from any unauthorized party to systems storing sensitive data.

What are the DLP controls? ›

Data loss prevention (DLP) makes sure that users do not send sensitive or critical information outside the corporate network. The term describes software products that help a network administrator control the data that users can transfer.

What should I look in a DLP solution? ›

At a minimum, a DLP solution should include features that enable the discovery and classification of data at rest, data in motion, and be able to remediate based of data activity.

How do you handle a DLP incident? ›

For Devices DLP alerts, select the device card on the top of the alert page to view the device details and take remediation actions on the device. Go to the incident summary page and select Manage Incident to add incident tags, assign, or resolve an incident.

What can DLP block? ›

DLP software monitors, detects and blocks sensitive data from leaving an organization. That means monitoring both data entering the corporate networks, as well as data attempting to exit the network.

What is Microsoft purview? ›

Microsoft Purview provides a unified data governance solution to help manage and govern your on-premises, multicloud, and software as a service (SaaS) data. Easily create a holistic, up-to-date map of your data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage.

What are the components of DLP? ›

A full-suite DLP tool contains four main elements: the central management server, network monitoring, storage DLP and endpoint DLP.

Does Office 365 have DLP? ›

Fortunately, Microsoft 365 DLP offers a comprehensive data protection solution that enables you to monitor and secure the sharing of sensitive data. With Data Loss Prevention Policy (DLP), you can establish rules to ensure the security of sensitive data within your Office 365 environment.

Why should I use DLP? ›

DLP controls help you analyze data and activities and prevent the movement and use of data outside of defined boundaries. DLP also helps you enforce security policies, meet compliance standards and gain better visibility into data across various systems.

What is the difference between DLP incidents and DLP policy matches? ›

Because the report counts are aggregated differently, the policy matches report is better for identifying matches with specific rules and fine tuning DLP policies. The incidents report is better for identifying specific pieces of content that are problematic for your DLP policies.

What is DLP vs Endpoint DLP? ›

Endpoint DLP and network DLP are two different approaches to preventing data loss in an organization. While endpoint DLP focuses on protecting data on individual devices, network DLP prevents data loss as it moves through the network.

Who is responsible for DLP? ›

The Data Loss Prevention Engineer is responsible for the daily operation, maintenance, and monitoring of a Data Loss Prevention (DLP) system. The DLP solution may be Endpoint DLP, Network DLP, Discovery, or Cloud DLP.

What is DLP violations? ›

The Data Loss Violations (DLP) report shows a summary of data loss violations on your network and the actions taken by Data Loss Prevention. This report is available when log messages with data for this report exist in the specified time frame.

Why do DLP projects fail? ›

Most traditional DLP solutions simply aren't intelligent and vast enough to monitor sensitive data as it travels through the cloud, making cloud applications a huge exit point for sensitive data, which could lead to leaks or even a breach.

Is DLP a software or hardware? ›

Data loss prevention (DLP) software, also known as data leak prevention software, is used to secure control and ensure compliance of sensitive business information.

Is there any software used for DLP? ›

Digital Guardian DLP

Digital Guardian (acquired by Fortra in 2021) was founded in 2003 to provide technology that can prevent theft of intellectual property. The Digital Guardian endpoint DLP solution is an enterprise IP and DLP software solution. It is offered as a self-drive package, delivered from the cloud.

What are the disadvantages of DLP? ›

Major downsides of DLP systems

Deploying a DLP system in your organization to prevent data-related incidents might sound like a good idea. However, there's a risk of DLP software leaving gaps in your corporate security if there are no other cybersecurity measures in place.

How do I implement DLP in Office 365? ›

How to Create a Data Loss Prevention Policy. To create a DLP policy, first log into the Office or Microsoft 365 tenant, select Admin centers and then choose Security & Compliance. Once the Security & Compliance center is loaded, expand the Data loss prevention menu and choose the Policy menu item.

Which Office 365 plans include DLP? ›

Office 365 and Microsoft 365 E3 include DLP protection for SharePoint Online, OneDrive, and Exchange Online.

Does Microsoft have an MDM solution? ›

Microsoft provides MDM security baselines that function like the Microsoft group policy security baseline. You can easily integrate this baseline into any MDM solution to support IT pros' operational needs, addressing security concerns for modern cloud-managed devices.

What Microsoft license includes DLP? ›

Office 365 and Microsoft 365 E3 licenses are adequate to have and offer DLP practices for SharePoint Online, OneDrive, and Exchange Online. Furthermore, these two licenses also cover files that are shared through Microsoft Teams.

How do I check my DLP policy in Office 365? ›

Follow these steps:
  1. From the admin center dashboard, navigate to the Exchange admin center.
  2. Select compliance management.
  3. Select data loss prevention.
  4. To edit or view more about an existing policy, select it and double-click to open.

What is Microsoft 365 Endpoint DLP? ›

Endpoint data loss prevention (Endpoint DLP) is part of the Microsoft Purview Data Loss Prevention (DLP) suite of features you can use to discover and protect sensitive items across Microsoft 365 services.

What is the confidence level of DLP in Microsoft 365? ›

A DLP policy has medium confidence that it's detected this type of sensitive information if, within a proximity of 300 characters: The regular expression Regex_argentina_national_id finds content that matches the pattern.

How do I create a PDL in Office 365? ›

How to create a distribution list in Outlook Office 365
  1. Launch the Outlook app launcher and navigate to the tab on the left of the screen.
  2. Click on the People icon.
  3. Click on New contact and select New group.
  4. A new window will open. ...
  5. Ensure the language for all notifications is correct. ...
  6. When you're done, click Create.

What is the difference between Office 365 DLP and Azure information protection? ›

In this scenario, DLP is protecting and monitoring information after it has been created within the Office 365 tenant. Azure Information Protection protects individual files (or emails!) no matter where they live or are sent. AIP protections used to apply the protections and markings to the file are called labels.

What is the license requirement for Office 365 DLP for Endpoint DLP? ›

Before you can use Endpoint DLP, you need Microsoft 365 E5 licenses or either the Microsoft 365 E5 information protection and governance or compliance add-ons.

What is the difference between Office 365 E3 and E5 DLP? ›

E3 provides the full suite of enterprise functionality with Office applications (Word, Excel, PowerPoint, etc.) and additional security functionality. E5 is the most advanced package, with all the features of E3, alongside advanced email security functionality, analytics, and phone systems.

What is the difference between Intune and MDM? ›

The main difference of MDM for Office 365 versus Intune is that Intune is not limited to Office 365-related scenarios. For most organizations, the management boundaries must expand to include all apps and data that can be exposed via AAD and all apps on devices that can use modern authentication.

What is Microsoft MDM called? ›

This approach is called mobile device management (MDM). Users "enroll" their devices, and use certificates to communicate with Intune. As an IT administrator, you push apps on devices, restrict devices to a specific operating system, block personal devices, and more.

What is Intune now called? ›

Microsoft Intune new name. Effective October 12, 2022, Microsoft Intune becomes the name of the endpoint management family with the name Microsoft Endpoint Manager no longer being used.


1. Protect your data with Microsoft 365 Compliance & Data Loss Prevention
(Point Alliance)
2. Protect and Prevent Data Loss via Microsoft Purview
(Vignesh Ganesan)
3. How to Setup Data Loss Prevention Policy in Office 365 in 10 minutes
(The Admin 365)
4. DLP policy setup demo Microsoft 365
(Gallop Technology Group)
5. Azure Information Protection and Microsoft Purview
(George Kosmidis)
6. Creating Data Loss Prevention Policies


Top Articles
Latest Posts
Article information

Author: Moshe Kshlerin

Last Updated: 11/22/2023

Views: 5823

Rating: 4.7 / 5 (57 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Moshe Kshlerin

Birthday: 1994-01-25

Address: Suite 609 315 Lupita Unions, Ronnieburgh, MI 62697

Phone: +2424755286529

Job: District Education Designer

Hobby: Yoga, Gunsmithing, Singing, 3D printing, Nordic skating, Soapmaking, Juggling

Introduction: My name is Moshe Kshlerin, I am a gleaming, attractive, outstanding, pleasant, delightful, outstanding, famous person who loves writing and wants to share my knowledge and understanding with you.