Investigate data loss prevention alerts with Microsoft Sentinel
Applies to:
- Microsoft Defender XDR
- Microsoft Sentinel
Before you start
See, Investigate data loss prevention alerts with Microsoft Defender XDR for more details.
DLP investigation experience in Microsoft Sentinel
You can use the Microsoft Defender XDR connector in Microsoft Sentinel to import all DLP incidents into Sentinel to extend your correlation, detection, and investigation across other data sources and extend your automated orchestration flows using Sentinel's native SOAR capabilities.
Follow instructions on Connect data from Microsoft Defender XDR to Microsoft Sentinel to import all incidents including DLP incidents and alerts into Sentinel. Enable
CloudAppEventsevent connector to pull all Office 365 audit logs into Sentinel.You should be able to see your DLP incidents in Sentinel once the above connector is set up.
Select Alerts to view the alert page.
You can use AlertType, startTime, and endTime to query the CloudAppEvents table to get all the user activities that contributed to the alert. Use this query to identify the underlying activities:
let Alert = SecurityAlert
| where TimeGenerated > ago(30d)
| where SystemAlertId == ""; // insert the systemAlertID here
CloudAppEvents
| extend correlationId1 = parse_json(tostring(RawEventData.Data)).cid
| extend correlationId = tostring(correlationId1)
| join kind=inner Alert on $left.correlationId == $right.AlertType
| where RawEventData.CreationTime > StartTime and RawEventData.CreationTime < EndTime
Related articles
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for