Investigate data loss prevention alerts with Microsoft Defender XDR

Applies to:

  • Microsoft Defender XDR

You can manage Microsoft Purview Data Loss Prevention (DLP) alerts in the Microsoft Defender portal. Open Incidents & alerts > Incidents on the quick launch of the Microsoft Defender portal. From this page, you can:

  • View all your DLP alerts grouped under incidents in the Microsoft Defender XDR incident queue.
  • View intelligent inter-solution (DLP-MDE, DLP-MDO) and intra-solution (DLP-DLP) correlated alerts under a single incident.
  • Hunt for compliance logs along with security under Advanced Hunting.
  • In-place admin remediation actions on user, file, and device.
  • Associate custom tags to DLP incidents and filter by them.
  • Filter by DLP policy name, tag, Date, service source, incident status, and user on the unified incident queue.

Tip

You can also pull DLP incidents along with events and evidence into Microsoft Sentinel for investigation and remediation with the Microsoft Defender XDR connector in Microsoft Sentinel.

Licensing requirements

To investigate Microsoft Purview Data Loss Prevention incidents in the Microsoft Defender portal, you need a license from one of the following subscriptions:

  • Microsoft Office 365 E5/A5
  • Microsoft 365 E5/A5
  • Microsoft 365 E5/A5 Compliance
  • Microsoft 365 E5/A5 Information Protection and Governance

Note

When you are licensed and eligible for this feature, DLP alerts will automatically flow into Microsoft Defender XDR. If you don't want DLP alerts to flow into Defender, open a support case to disable this feature. If you disable this feature DLP alerts will surface in the Defender portal as Microsoft Defender for Office alerts.

Roles

It's best practice to only grant minimal permissions to alerts in the Microsoft Defender portal. You can create a custom role with these roles and assign it to the users who need to investigate DLP alerts.

Permission Defender Alert Access
Manage Alerts DLP + Security
View-Only Manage Alerts DLP + Security
Information Protection Analyst DLP only
DLP Compliance Management DLP only
View-Only DLP Compliance Management DLP only

Before you start

Turn on alerts for all your DLP policies in the Microsoft Purview compliance portal.

Note

Administrative units restrictions flow from data loss prevention (DLP) into the Defender portal. If you are an administrative unit restricted admin, you'll only see the DLP alerts for your administrative unit.

Investigate DLP alerts in the Microsoft Defender portal

  1. Go to the Microsoft Defender portal, and select Incidents in the left hand navigation menu to open the incidents page.

  2. Select Filters on the top right, and choose Service Source : Data Loss Prevention to view all incidents with DLP alerts. Here's a few examples of the subfilters that are available in preview:

    1. by user and device names
    2. (in preview) In the Entities filter, you can search on file names, user, device names, and file paths.
    3. (in preview) In the Incidents queue > Alert policies > Alert policy title. You can search on the DLP policy name.
  3. Search for the DLP policy name of the alerts and incidents you're interested in.

  4. To view the incident summary page, select the incident from the queue. Similarly, select the alert to view the DLP alert page.

  5. View the Alert story for details about policy and the sensitive information types detected in the alert. Select the event in the Related Events section to see the user activity details.

  6. View the matched sensitive content in the Sensitive info types tab and the file content in the Source tab if you have the required permission (See details here).

Extend DLP alert investigation with advanced hunting

Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of audit logs of user, files and site locations to aid in your investigation. You can proactively inspect events in your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats.

The CloudAppEvents table contains all audit logs across all locations like SharePoint, OneDrive, Exchange and Devices.

Before you begin

If you're new to advanced hunting, you should review Get started with advanced hunting.

Before you can use advance hunting you must have access to the CloudAppEvents table that contains the Microsoft Purview data.

Using built in queries

Important

This feature is in preview. Preview features aren't meant for production use and may have restricted functionality. These features are available before an official release so that customers can get early access and provide feedback.

The Defender portal offers multiple built-in queries you can use to help with your DLP alert investigation.

  1. Go to the Microsoft Defender portal, and select Incidents & alerts in the left hand navigation menu to open the incidents page. Select Incidents.
  2. Select Filters on the top right, and choose Service Source : Data Loss Prevention to view all incidents with DLP alerts.
  3. Open a DLP incident.
  4. Select on an alert to view its associated events.
  5. Select an event.
  6. In the event details pane, select the Go Hunt control.
    1. Defender shows you a list of built-in queries that are relevant to the source location of the event. For example, if the event is from SharePoint you see
      1. File shared with
      2. File activities
      3. Site activity
      4. User DLP violations for last 30 days
  7. You can choose to Run query immediately, change the time range, edit or save the query for later use.
  8. Once you run the query, view the results on the Results tab.

If the alert is for an email message, you can download the message by selecting Actions > Download email.

If the alert is for a file in SharePoint Online or One Drive for Business, you can take these actions:

For remediation actions, select the User card on the top of the alert page to open the user details.

For Devices DLP alerts, select the device card on the top of the alert page to view the device details and take remediation actions on the device.

Go to the incident summary page and select Manage Incident to add incident tags, assign, or resolve an incident.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.