Share via

Get started with the data loss prevention analytics (preview)

  • Article

Microsoft Purview data loss prevention (DLP) analytics helps customers understand top data protection risks, blind spots, and policy and posture improvement opportunities in their organization. It can help you investigate these risks using intelligent Purview features, and mitigate them in a few simple steps.

This article introduces the concepts you need to be familiar with. Then, it walks you through the prerequisites and configuration steps you perform to start using DLP analytics.

Important

This feature is in preview. Preview features aren't meant for production use and may have restricted functionality. These features are available before an official release so that customers can get early access and provide feedback. We expect changes to this feature, so you shouldn't use it in a production environment.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

DLP analytics shows customers their top data loss risks and vulnerabilities and how to mitigate them through new or improved policies. It does this in three ways:

  • It communicates the top item oversharing risks through the Risk Spotlighting card on the DLP overview page in the Microsoft Purview portal. Analytics reports on top risks, blind spots, and policy improvement opportunities based on past 30 days data.
  • Help prevent users from sharing additional sensitive information externally by creating new DLP policies with one click. Policy creation recommendations are based on industry best practices and risks found in the tenant.
  • Improve the accuracy of existing policies via the Policy Improvement card with one click.

Risks and recommendations are refreshed every week.

When DLP analytics is enabled, it scans signals on user activity, sensitive data sharing patterns, and policy information to generate insights that help you set up and refine DLP policies. It takes seven days to generate recommendations after you turn on DLP analytics.

Before you begin

Licensing

Before you start using DLP policies, confirm your Microsoft 365 subscription and any add-ons.

For information on licensing, see Microsoft 365, Office 365, Enterprise Mobility + Security, and Windows 11 Subscriptions for Enterprises.

Permissions

To see DLP analytics your account must be one of these two roles:

  • Global admin
  • Compliance Administrator

Enable DLP risk-detection analytics

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

DLP analytics is turned Off by default. You need to explicitly opt in. Scans run every hour on your data present in audit logs and policy data.

Note

It takes seven days to start seeing analytics and recommendations in your tenant once analytics are re-enabled.

  1. Sign in to the Microsoft Purview portal > Data loss prevention > Overview

  2. Check the Turn on analytics for risk detection and policy refinement opportunities (preview) option.

  3. Select Turn on analytics

Disable DLP analytics

After disabling DLP analytics, it can take up to 24 hours for the insights to stop appearing on the Data loss prevention Overview page.

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

After disabling, it can take up to 24 hours for the insights to stop appearing on the Data loss prevention Overview page.

  1. Sign in to the Microsoft Purview portal > Settings (gear in the menu bar) > Data Loss Prevention > Analytics (preview).

  2. Set the Activate analytics toggle to Off.

Viewing DLP Analytics created policies

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

  1. Sign in to the Microsoft Purview portal > Data Loss Prevention > Policies.

  2. Look for policy names in this format: RiskSpotlighting-YYYY-MM-DD.

DLP analytics updated policies

When you tell DLP analytics to update an existing policy, it makes all updates in a new version of the policy. The name of the original policy is appended with _copy and the original policy is turned off. The new version is then deployed. For example:

  1. There's a policy named All credit cards that is generating too many false positives.
  2. DLP analytics suggests changes to the policy to reduce false positives.
  3. You tell DLP analytics to update the policy.
  4. DLP analytics creates a new version of the policy named All credit cards
  5. DLP analytics renames the original version of the policy to All credit cards_copy and sets its status to Keep it off.
  6. DLP analytics deploys the new version of the policy named All credit cards and sets it status to Turn it on.

See also