Partial Matching in Activity Explorer

Question

Partial Matching in Activity Explorer

Mitch Silberstein 70

I am working in Activity Explorer in Purview. If I filter by "DLP Rule Matched", I get a lot of results for the OneDrive location. If I go into the alerts though, it is not actually hitting all my conditions for the DLP rule even though they have an AND operator. I have verified my condition in the DLP policy is looking for when "Content is shared from Microsoft 365" to external users, but these matches do NOT show that condition.

Does the activity for DLP Rule Matched also show partial DLP rule matches? If yes, what is the source for this information?

0 comments

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Jack Dang (WICLOUD CORPORATION) 18,970 Microsoft External Staff Moderator

Hi @Mitch Silberstein ,

Thank you for your question and for providing the details. I understand how it can be confusing to see many events in Activity Explorer for a DLP rule when it seems like not all conditions are met.

Here’s some clarification:

Activity Explorer shows DLP matches at a detailed level
- The events you see in Activity Explorer come from Microsoft 365 audit logs, which record activities related to DLP policies.
- Some events labeled “DLP Rule Matched” may represent partial matches - meaning only some conditions of your rule were met. They appear for visibility and audit purposes, but they may not constitute a full DLP violation.
Understanding partial vs full matches
- Your DLP rule uses an AND operator, so technically a violation occurs only when all conditions are met.
- Activity Explorer may still list events where only some conditions are satisfied, which is why you see entries that don’t fully meet your condition “Content is shared from Microsoft 365 to external users.”
Verifying full matches
- To check which conditions actually triggered, you can review the alert details in the DLP alerts interface in Purview. This will show which part of the rule matched the activity.
Source of the data
- These events are derived from the Microsoft 365 audit logs captured by Purview. They include information on the user action, file, location, and which DLP conditions were triggered (fully or partially).

In short: Activity Explorer may display partial DLP matches for audit purposes, and you should confirm full rule matches in the alert details.

Hope this helps! If my answer was helpful - kindly follow the instructions here so others with the same problem can benefit as well.

Mitch Silberstein 70 Reputation points

2025-10-07T13:40:04.7233333+00:00

Do you know if there is any Microsoft documentation to be able to support this answer? I was not able to find any previously. I suspect your answer to be correct, but I wish Microsoft were to update the Activity Explorer to only meet FULL matched criteria.
Jack Dang (WICLOUD CORPORATION) 18,970 Reputation points Microsoft External Staff Moderator

2025-10-08T02:41:27.0566667+00:00
Hi @Mitch Silberstein ,

Thanks for the follow-up!

Regarding your question, there isn’t a Microsoft doc that explicitly says Activity Explorer only reports full rule matches, but the following pages clarify how it works:

DLP policy reference – Notes that a “DLP Rule Matched” event appears whenever an activity is met, not necessarily all conditions.

Available events in Activity Explorer – Lists “DLP policy matched” as one of the reported activities without specifying full condition matching.

Get started with Activity Explorer – Explains that data shown is sourced from audit logs, which can include partially satisfied rule matches.

Together, these indicate that Activity Explorer may log events where part of a DLP rule is triggered, even if not all AND conditions are met.

Hopefully this gives you confidence that the current behavior aligns with Microsoft’s design, even if not yet called out explicitly in documentation.

If my answer was helpful - kindly follow the instructions here so others with the same problem can benefit as well.
Mitch Silberstein 70 Reputation points

2025-10-08T13:45:45.9466667+00:00

Thank you for the guidance! I will mark this as an accepted answer since there isn't anything specific to support it, but the experience matches. Overall this is a bad design as it gives false confidence in the egress of sensitive data. Meaning it can show matches even though my DLP policy is only concerned when sensitive data leaves externally. I will reach out to Microsoft to see if this can be changed.

Share via

Partial Matching in Activity Explorer

0 additional answers

Your answer