Configure and view alerts for data loss prevention policies
Microsoft Purview Data Loss Prevention (DLP) policies can take protective actions to prevent unintentional sharing of sensitive items. When an action is taken on a sensitive item, you can be notified by configuring alerts for DLP. This article shows you how to define rich alert policies that are linked to your data loss prevention (DLP) policies. You'll see how to use the new DLP alert management dashboard in the Microsoft Purview compliance portal to view alerts, events, and associated metadata for DLP policy violations.
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
Features
The following features are part of this:
DLP alert management dashboard: This dashboard in the Microsoft Purview compliance portal shows alerts for DLP policies that are enforced on the following workloads:
- Exchange
- SharePoint
- OneDrive
- Teams
- Devices
Advanced alert configuration options: These options are part of the DLP policy authoring flow. Use them to create rich alert configurations. You can create a single-event alert or an aggregated alert, based on the number of events or the size of the leaked data.
Before you begin
Before you begin, make sure you have the necessary prerequisites:
- Licensing for the DLP alerts management dashboard
- Licensing for alert configuration options
- Required roles
Licensing for the DLP alert management dashboard
All eligible tenants for Office 365 DLP can access the DLP alert management dashboard. To get started, you should be eligible for Office 365 DLP for Exchange, SharePoint, and OneDrive. For more information about the licensing requirements for Office 365 DLP, see Which licenses provide the rights for a user to benefit from the service?.
Customers who use Endpoint DLP and who are eligible for Teams DLP will see their endpoint DLP policy alerts and Teams DLP policy alerts in the DLP alert management dashboard.
Licensing for alert configuration options
- Single-event alert configuration: Organizations that have an E1, F1, or G1 subscription or an E3 or G3 subscription can create alert policies only where an alert is triggered every time an activity occurs.
- Aggregated alert configuration: To configure aggregate alert policies based on a threshold, you must have either of the following configurations:
- An A5 subscription
- An E5 or G5 subscription
- An E1, F1, or G1 subscription or an E3 or G3 subscription that includes one of the following features:
- Office 365 Advanced Threat Protection Plan 2
- Microsoft 365 E5 Compliance
- Microsoft 365 eDiscovery and Audit add-on license
Roles
If you want to view the DLP alert management dashboard or to edit the alert configuration options in a DLP policy, you must be a member of one of these role groups:
- Compliance Administrator
- Compliance Data Administrator
- Security Administrator
- Security Operator
- Security Reader
To access the DLP alert management dashboard, you need the Manage alerts role and either of the following roles:
- DLP Compliance Management
- View-Only DLP Compliance Management
Alert configuration experience
If you're eligible for aggregated alert configuration options, then you see the following options inline in the DLP policy authoring experience.
This configuration allows you to set up a policy to generate an alert:
- every time an activity matches the policy conditions
- when the defined threshold is met or exceeded
- based on the number of activities
- based on the volume of exfiltrated data
To prevent a flood of notification emails, all matches that occur within a one-minute time window that are for the same DLP rule and on the same location are grouped together in the same alert. The one minute aggregation time window feature is available in:
- An E5 or G5 subscription
- An E1, F1, or G1 subscription or an E3 or G3 subscription that includes one of the following features:
- Office 365 Advanced Threat Protection Plan 2
- Microsoft 365 E5 Compliance
- Microsoft 365 eDiscovery and Audit add-on license
For organizations that have an E1, F1, or G1 subscription or an E3 or G3 subscription, the aggregation time window is 15 minutes.
DLP alert management dashboard
To work with the DLP alert management dashboard:
In the Microsoft Purview compliance portal, go to Data Loss Prevention.
Select the Alerts tab to view the DLP alerts dashboard.
Choose filters to refine the list of alerts. Choose Customize columns to list the properties you want to see. You can also choose to sort the alerts in ascending or descending order in any column.
Select an alert to see details:
Select the Events tab to view all of the events associated with the alert. You can choose a particular event to view its details. The following table shows some of the event details.
Category Property name Description Applicable event types Event details Id Unique ID associated with the event All events Location Workload where the event was detected All events Time of activity Time of the user activity that caused the DLP violation All events Impacted entities User User who caused the DLP violation All events Hostname Host name of the machine where the DLP violation was detected Devices events IP address IP address of the machine Devices events File path Absolute path of the file involved in the violation SharePoint, OneDrive, and Devices events Email recipients Recipients of the email that violated the DLP policy Exchange events Email subject Subject of the email that violated the DLP policy Exchange events Email attachments Names of the attachments in the email that violated the DLP policy Exchange events Site owner Name of the site owner SharePoint and OneDrive events Site URL Full URL of the SharePoint or OneDrive site SharePoint and OneDrive events File created Time of file creation SharePoint and OneDrive events File last modified Time of the last modification of the file SharePoint and OneDrive events File size Size of the file SharePoint and OneDrive events File owner Owner of the file SharePoint and OneDrive events Policy details DLP policy matched Name of the DLP policy that was matched All events Rule matched Name of the DLP rule in the DLP policy that was matched All events Sensitive info types detected Sensitive information types that were detected as a part of the DLP policy All events Actions taken Actions taken as a part of the matched DLP policy All events User overrode policy Whether the user overrode the policy through the policy tip All events Override justification text Justification provided to override the policy tip All events
After you investigate the alert, choose Manage alert to change the status (Active, Investigating, Dismissed, or Resolved). You can also add comments and assign the alert to someone in your organization.
- To see the history of workflow management, choose Management log.
- After you take the required action for the alert, set the status of the alert to Resolved.
Other matched conditions
Microsoft Purview supports showing matched conditions in a DLP event to reveal the exact cause for a flagged DLP policy. This information will show up in:
- DLP Alerts console
- Activity explorer
- Microsoft Defender for Business portal
In the Events tab open Details to see Other matched conditions.
Prerequisites
- Must be running Windows 10 x64 build 1809 or later or Windows 11.
- See March 21, 2023—KB5023773 (OS Builds 19042.2788, 19044.2788, and 19045.2788) Preview for required minimum Windows Operating System builds.
- Matched conditions data is available for valid E3 and E5 license holders
- Enable Auditing.
- Enable Advanced classification scanning and protection.
Matched events information is supported for these conditions
| Condition | Exchange | Sharepoint | Teams | Endpoint |
|---|---|---|---|---|
| Sender is | Yes | No | Yes | No |
| Sender domain is | Yes | No | Yes | No |
| Sender address contains words | Yes | No | No | No |
| Sender address matches patterns | Yes | No | No | No |
| Sender is a member of | Yes | No | No | No |
| Sender IP address is | Yes | No | No | No |
| Has sender overridden the policy tip | Yes | No | No | No |
| SenderAdAttribute Contains words | Yes | No | No | No |
| SenderAdAttribute Matches patterns | Yes | No | No | No |
| Recipient is | Yes | No | Yes | No |
| Recipient domain is | Yes | No | Yes | No |
| Recipient address contains words | Yes | No | No | No |
| Recipient address matches patterns | Yes | No | No | No |
| Recipient is a member of | Yes | No | No | No |
| RecipientAdAttribute Contains words | Yes | No | No | No |
| RecipientAdAttribute Matches patterns | Yes | No | No | No |
| Document is password protected | Yes | No | No | No |
| Document could not be scanned | Yes | No | No | No |
| Document did not complete scanning | Yes | No | No | No |
| Document name contains words | Yes | Yes | No | No |
| Document name matches patterns | Yes | No | No | No |
| Document property is | Yes | Yes | No | No |
| Document size over | Yes | Yes | No | No |
| Document content contains words | Yes | No | No | No |
| Document content matches patterns | Yes | No | No | No |
| Document type is | No | No | No | Yes |
| Document extension is | Yes | Yes | No | Yes |
| Content is shared from M365 | Yes | Yes | Yes | No |
| Content is received from | Yes | No | No | No |
| Content character set contains words | Yes | No | No | No |
| Subject contains words | Yes | No | No | No |
| Subject matches patterns | Yes | No | No | No |
| Subject or body contains words | Yes | No | No | No |
| Subject or body matches patterns | Yes | No | No | No |
| Header contains words | Yes | No | No | No |
| Header matches patterns | Yes | No | No | No |
| Message size over | Yes | No | No | No |
| Message type is | Yes | No | No | No |
| Message importance is | Yes | No | No | No |