Get started with collecting files that match data loss prevention policies from devices

  • Article

This article walks you through the prerequisites and configuration steps for evidence collection for file activities on devices and introduces how to view the items that are copied out and saved.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Here are the high level steps for configuring and using evidence collection for file activities on devices.

  1. Onboard devices
  2. Understand your requirements
  3. Create your managed Azure storage account
  4. Add an Azure storage blob to your account
  5. Configure Endpoint DLP settings
  6. Configure your DLP policy
  7. Preview collected evidence

Before you begin

Before you start these procedures, you should review Learn about evidence collection for file activities on devices.

Licensing and Subscriptions

See the licensing requirements for Information Protection for details on the subscriptions that support DLP.

See the prerequisites licensing requirements for Azure Active Directory P1 or P2 needed to create custom role-based access control (RBAC).

Permissions

Standard Microsoft Purview Data Loss Prevention (DLP) permissions are required. For more information, see Permissions.

Onboard devices

Before you can use copy matched items you have to onboard Windows 10/11 devices into Purview, see Onboard Windows devices into Microsoft 365 overview.

Understand your requirements

Important

Each container inherits the permissions of the storage account that it is in. You can't set different permissions per container. If you need to configure different permissions for different regions, you must create multiple storage accounts, not multiple containers.

You should have answers to the following question before setting up your Azure storage and scoping the feature to users.

Do you need to compartmentalize items and access along role or departmental lines?

For example, if your organization wants to have one set of administrators or DLP event investigators who can view saved files from your senior leadership and another set of administrators or DLP event investigators for saved items from human resources, you should create one Azure storage account for senior leadership and another for human resources. This ensures that the Azure storage admins or DLP event investigators can only see the items that matched DLP policies from their respective groups.

Do you want to use containers to organize saved items?

You can create multiple evidence containers within the same storage account for sorting saved files. For example, one for files saved from the HR department and another for those from the IT department.

What is your strategy for protecting against saved item deletion or modification?

In Azure Storage, data protection refers to both the strategies for protecting the storage account and data within it from being deleted or modified and to restoring data after it has been deleted or modified. Azure Storage also offers options for disaster recovery, including multiple levels of redundancy, to protect your data from service outages due to hardware problems or natural disasters, as well as customer-managed failover if the data center in the primary region becomes unavailable. For more information, see Data protection overview.

You can also configure immutability policies for your blob data that protects against the saved items being overwritten or deleted. For more information, see Store business-critical blob data with immutable storage

Save matched items to Azure blob storage

To save the evidence that Microsoft Purview detects when your data loss prevention policies are applied, you need to set up Azure blob storage. To learn more about creating your own managed storage account, see Create your own managed Azure storage account.

Create your managed Azure storage account

The procedures for setting up your Azure storage account, container, and blobs are documented in the Azure document set. Here are links to relevant articles you can refer to help you get started:

  1. Introduction to Azure Blob Storage
  2. Create a storage account
  3. Default to and authorize access to blobs using Azure Active Directory
  4. Manage blob containers using the Azure portal
  5. Manage block blobs with PowerShell

Be sure to save the name and URL of the Azure blob container. To view the URL, open the Azure storage portal > **Home > Storage Accounts > Container > Properties

An example of the Azure blob container URL will be in the format https://storageAccountName.blob.core.windows.net/containerName.

Add an Azure storage blob to your account

Adding Azure blob storage from within the Microsoft Purview compliance portal

  1. Starting in the left navigation pane of the compliance portal, navigate to Data Loss Prevention > Endpoint DLP Settings.
  2. Toggle Setup evidence collection for file activities on devices to On.
  3. In the Set evidence cache on device field, select the amount of time evidence should be saved locally when the device is offline. You can choose 7, 30, or 60 days.
  4. Select + Add storage.
  5. In the flyout pane, enter a name for the storage blob and the corresponding connection string and then choose Add.
  6. Repeat steps 3 and 4 for any additional blobs required.

Adding Azure blob storage from within the DLP creation workflow

  1. From the left navigation pane, navigate to Data Loss Prevention > Policies.
  2. Choose to edit an existing policy or create a new one.
  3. Work through the policy wizard. At the Policy settings page, select** Create or customize advanced DLP rules**.
  4. Select + Create rule.
  5. Work through the rule builder as usual, selecting the following options:
    1. In the Locations section, make sure that the rule is scoped only to Devices.
    2. In the Incident reports section, toggle the Send an alert to admins when a rule match occurs option to On.
    3. Select the checkbox next to Collect original file as evidence for all selected file activities on Endpoint.
    4. Choose Add Storage. The Endpoint DLP settings page opens in a new window.
    5. On the Endpoint DLP settings page, expand Setup evidence collection for file activities on devices and make sure that the option is toggled to On.
    6. For Set evidence cache on device, specify the number of days files should be retained in the event that the device is disconnected from the server.
    7. Select + Add storage.
    8. In the Add account flyout, enter a name and URL for your blob.
    9. Choose Save.
    10. Back in the rule builder, select Send alert every time an activity matches the rule.
    11. Choose Save.
  6. Finish creating or editing your rule, then choose Submit.

Set permissions on the Azure blob storage

Using Azure Active Directory authorization, you must configure two sets of permissions on the blobs; one for the administrators and investigators so they can view and manage evidence and another for users whose devices need to upload items to Azure. You should create custom role groups in Microsoft Purview compliance to limit all users, regardless of role, to only the permissions necessary for their role by enforcing least privilege when assigning accounts.

Permissions on Azure blob for administrators and investigators

Once you've created the role group that DLP incident investigators will use, it must have the following permissions on the Azure blob. For more information on configuring blob access, see how to authorize access to blob data in the Azure portal and Assign share-level permissions.

Investigator actions

Configure these object and action permissions for the investigator role:

Object Permissions
Microsoft.Storage/storageAccounts/blobServices Read: List Blob Services
Microsoft.Storage/storageAcccounts/blobServices Read: Get blob service properties or statistics
Microsoft.Storage/storageAccounts/blobServices/containers Read: Get blob container
Microsoft.Storage/storageAccounts/blobServices/containers Read: List of blob containers
Microsoft.Storage/storageAccounts/blobServices/containers/blobs Read: Read blob
Investigator data actions
Object Permissions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs Read: Read Blob

The JSON for the investigator role group should look like this:

"permissions": [
     {
         "actions": [
             "Microsoft.Storage/storageAccounts/blobServices/containers/read",
             "Microsoft.Storage/storageAccounts/blobServices/read"
       ],
       "notActions": [],
       "dataActions": [
         "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"
       ],
       "notDataActions": []
     }
 ]

Permissions on Azure blob for users

Assign these object and action permissions to the Azure blob for the user role:

User actions
Object Permissions
Microsoft.Storage/storageAccounts/blobServices Read: List Blob Services
Microsoft.Storage/storageAccounts/blobServices/containers Read: Get blob container
Microsoft.Storage/storageAccounts/blobServices/containers Write: Put blob container
User data actions
Object Permissions
Microsoft.Storage/storageAccounts/blobServices/containers/blobs Write: Write Blob
Microsoft.Storage/storageAccounts/blobServices/containers/blobs Other: Add blob content

The JSON for user role group should look like this:

"permissions": [
  {
     "actions": [
       "Microsoft.Storage/storageAccounts/blobServices/containers/read",
       "Microsoft.Storage/storageAccounts/blobServices/containers/write",
       "Microsoft.Storage/storageAccounts/blobServices/read"
     ],
     "notActions": [],
     "dataActions": [
         "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action",
         "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
     ],
     "notDataActions": []
    }
 ]

Configure Endpoint DLP settings

  1. Sign in to the Microsoft Purview compliance portal.

  2. In the Microsoft Purview compliance portal > left navigation > Solutions > Data loss prevention > Endpoint DLP settings > Setup evidence collection for file activities on devices.

  3. Set the toggle to On.

  4. Set the duration for caching files on devices in the event that the devices can't access the Azure storage account. You can choose, 7, 30, or 60 days.

  5. Select + Add storage and provide the Name and URL of the Azure storage account. The URL format is the storage account FQDN/containerName. No SAS token is required as Azure Active Directory authorization is in use.

Configure your DLP Policy

Create a DLP policy as you normally would. Refer to Create and Deploy data loss prevention policies for policy configuration examples.

Configure your policy using these settings:

  • Make sure that Devices is the only location selected.
  • In Incident reports, toggle Send an alert to admins when a rule match occurs to On.
  • In Incident reports, select Collect original file as evidence for all selected file activities on Endpoint.
  • Select the storage account you want.
  • Select the activities for which you want to copy matched items to Azure storage (Copy to a removable USB device, Copy to a network share, Print, Copy or move using unallowed Bluetooth app, Copy or move using RDP).

Preview collected evidence

Preview evidence via Activity explorer

  1. Starting in the left navigation pane of the compliance portal, navigate to Data loss prevention > Activity explorer.
  2. Using the Date dropdown, select the Start and End dates for the period you’re interested in.
  3. In the list of results, select the activity you want to investigate.
  4. In the flyout pane, the link to the Azure blob storage where the evidence has been saved appears under Evidence file.
  5. Select the Azure blob storage link to display the file that was matched.

Preview evidence via the Compliance portal alerts page

  1. Starting in the left navigation pane of the compliance portal, navigate to Data Loss Prevention > Alerts.
  2. Using the Date dropdown, select the Start and End dates for the period you’re interested in.
  3. In the list of results, select the activity you want to investigate.
  4. In the flyout pane, select View details.
  5. Select the Events tab.
  6. In the Detail pane, select the Source tab. The file that was matched displays.

Note

If the file that was matched already exists in the Azure storage blob, it won't be uploaded again until changes are made to the file and a user takes an action on it.

Known Limitations

  • Files stored in the device cache do not persist if the system crashes or restarts.
  • The maximum size for files that can be uploaded from a device is 500 MB.