Get started with the data loss prevention Alerts dashboard

Microsoft Purview Data Loss Prevention (DLP) policies can take protective actions to prevent unintentional sharing of sensitive items. When an action is taken on a sensitive item, you can be notified by configuring alerts for DLP. This article shows you how to configure alerts in your data loss prevention (DLP) policies. You see how to use the DLP alert management dashboard in the Microsoft Purview compliance portal to view alerts, events, and associated metadata for DLP policy violations.

If you're new to DLP alerts, you should review Get started with the data loss prevention alerts.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Microsoft Purview compliance portal shows alerts for DLP policies that are enforced on the following workloads:

  • Exchange email
  • SharePoint sites
  • OneDrive accounts
  • Teams chat and channel messages
  • Devices
  • Instances
  • On-premises repositories
  • Power BI

Before you begin

Before you begin, make sure you have the necessary prerequisites:

  • Licensing for the DLP alerts management dashboard
  • Licensing for alert configuration options
  • Required roles

Licensing for the DLP alert management dashboard

To get started with the DLP Alert dashboard, you need to be licensed for DLP for Exchange, SharePoint, and OneDrive, see:

See the Microsoft 365 guidance for security & compliance for details on the subscriptions that support DLP.

Customers who use Endpoint DLP who are eligible for Teams DLP will see their endpoint DLP policy alerts and Teams DLP policy alerts in the DLP alert management dashboard.

The content preview feature, where you can view the content that matched the policy in the alert, is available only for these licenses:

  • Microsoft 365 (E5)
  • Office 365 (E5)
  • Advanced Compliance (E5) add on
  • Microsoft 365 E5/A5 Information Protection and Governance
  • Microsoft 365 E5/A5 Compliance

Licensing for alert configuration options

Single-event alert configuration: Organizations that have an E1, F1, or G1 subscription, or an E3 or G3 subscription, can create alert policies only where an alert is triggered every time an activity occurs.

Aggregated alert configuration: To configure aggregate alert policies based on a threshold, you must use one of these licensing configurations:

  • An E5 or G5 subscription
  • An E1, F1, or G1 subscription or an E3 or G3 subscription that includes one of the following features:
    • Office 365 Advanced Threat Protection Plan 2
    • Microsoft 365 E5 Compliance
    • Microsoft 365 eDiscovery and Audit add-on license

Roles and Role Groups

If you want to view the DLP alert management dashboard or to edit the alert configuration options in a DLP policy, you must be a member of one of these role groups:

  • Compliance Administrator
  • Compliance Data Administrator
  • Security Administrator
  • Security Operator
  • Security Reader
  • Information Protection Admin
  • Information Protection Analyst
  • Information Protection Investigator
  • Information Protection Reader

To learn more about them, see Permissions in the Microsoft Purview compliance portal

Here's a list of applicable role groups. To learn more about them, see Permissions in the Microsoft Purview compliance portal.

  • Information Protection
  • Information Protection Admins
  • Information Protection Analysts
  • Information Protection Investigators
  • Information Protection Readers

To access the DLP alert management dashboard, you need the Manage alerts role and either of these two roles:

  • DLP Compliance Management
  • View-Only DLP Compliance Management

To access the Content preview feature and the Matched sensitive content and context features, you must be a member of the Content Explorer Content Viewer role group, which has the Data classification content viewer role preassigned.

DLP alert configuration

To learn how to configure an alert in your DLP policy, see Create and Deploy data loss prevention policies.

Important

Your organization's audit log retention policy configuration controls how long an alert remains visible in the console. See, Manage audit log retention policies for more information.

Aggregate event alert configuration

If your organization is licensed for aggregated alert configuration options, then you see these options when you create or edit a DLP policy.

Screenshot showing options for incident reports for users who are eligible for aggregated alert configuration options.

This configuration allows you to set up a policy to generate an alert every time an activity matches the policy conditions or when a certain threshold is exceeded, based on the number of activities or based on the volume of exfiltrated data.

Single event alert configuration

If your organization is licensed for single-event alert configuration options, then you see these options when you create or edit a DLP policy. Use this option to create an alert that's raised every time a DLP rule match happens.

Screenshot showing options for incident reports for users who are eligible for single-event alert configuration options.

Investigate a DLP alert

To work with the DLP alert management dashboard:

  1. In the Microsoft Purview compliance portal, go to Data loss prevention.

  2. Select Alerts to view the DLP alerts dashboard.

    1. Choose filters to refine the list of alerts. Choose Customize columns to list the properties you want to see. You can also choose to sort the alerts in ascending or descending order in any column.
    2. In preview, if you have enabled sharing of the insider risk management severity level, you see a Insider risk severity column with the values of Low, Medium, High, and None.

    Important

    None can mean either that the user is not in the scope of an insider risk management policy or that the user has not engaged in any exfiltration activities in up to the past 120 days. Users must be in scope of an insider risk management policy to see the Insider risk severity column.

    1. Select an alert to see details.

Screenshot showing alert details on the DLP alert management dashboard.

  1. Select the Events tab to view all of the events associated with the alert. You can choose a particular event to view its details. For a list of some of the available event details, see Get started with the data loss prevention alerts.

  2. Select View details to open the Overview page for the alert. The overview page provides a summary:

    1. of what happened
    2. who performed the actions that caused the policy match
    3. information about the matched policy, and more
  3. Choose the Events tab to access the:

    1. Source content involved
    2. Event Details
    3. Classifiers that detected a match
    4. File activity details
    5. Metadata associated with the event
  4. In preview, you can share the insider risk management severity level with DLP. Select the User activity summary tab to see all of the exfiltration activities the user has engaged in up to the past 120 days. Users must be in scope of an insider risk management policy policy to see the User activity summary tab.

  5. Select any Actions you want to take on the file.

  6. After you investigate the alert, return to the Overview tab where you can triage and manage the disposition of the alert, add comments, and assign ownership of the alert.

    1. To see the history of workflow management, choose Management log.
    2. After you take the required action for the alert, set the status of the alert to Resolved.

Other matched conditions

Microsoft Purview supports showing matched conditions in a DLP event to reveal the exact cause for a flagged DLP policy. This information shows up in:

In the Events tab, open Details to see Other matched conditions.

Prerequisites

Matched events information is supported for these conditions

Condition Exchange Sharepoint Teams Endpoint
Sender is Yes No Yes No
Sender domain is Yes No Yes No
Sender address contains words Yes No No No
Sender address matches patterns Yes No No No
Sender is a member of Yes No No No
Sender IP address is Yes No No No
Has sender overridden the policy tip Yes No No No
SenderAdAttribute Contains words Yes No No No
SenderAdAttribute Matches patterns Yes No No No
Recipient is Yes No Yes No
Recipient domain is Yes No Yes No
Recipient address contains words Yes No No No
Recipient address matches patterns Yes No No No
Recipient is a member of Yes No No No
RecipientAdAttribute Contains words Yes No No No
RecipientAdAttribute Matches patterns Yes No No No
Document is password protected Yes No No No
Document could not be scanned Yes No No No
Document did not complete scanning Yes No No No
Document name contains words Yes Yes No No
Document name matches patterns Yes No No No
Document property is Yes Yes No No
Document size over Yes Yes No No
Document content contains words Yes No No No
Document content matches patterns Yes No No No
Document type is No No No Yes
Document extension is Yes Yes No Yes
Content is shared from M365 Yes Yes Yes No
Content is received from Yes No No No
Content character set contains words Yes No No No
Subject contains words Yes No No No
Subject matches patterns Yes No No No
Subject or body contains words Yes No No No
Subject or body matches patterns Yes No No No
Header contains words Yes No No No
Header matches patterns Yes No No No
Message size over Yes No No No
Message type is Yes No No No
Message importance is Yes No No No

Limitation when downloading emails from within a DLP alert

In general, when using the DLP alert management dashboard, you can download specific emails from within an alert. However, emails that have been deleted in any of the following scenarios can't be downloaded.

Sender Recipient Email Status
Internal External Deleted by sender
External Internal Deleted by recipient
Internal Internal Deleted by both parties

Additional Alert investigation tools