Create notifications for exact data match activities

When you create custom sensitive information types with exact data match (EDM), there are a number of activities that are created in the audit log. You can use the New-ProtectionAlert PowerShell cmdlet to create notifications that let you know when these activities occur:

• CreateSchema
• EditSchema
• RemoveSchema
• UploadDataFailed
• UploadDataCompleted

Note

The ability to create notifications for EDM activities is available for the World Wide and GCC clouds only.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Prerequisites

The account you have one of the following roles:

• Global administrator
• Compliance administrator
• Exchange Online administrator

To learn more about DLP permissions, see Permissions in the Microsoft Purview compliance portal.

EDM-based classification is included in these subscriptions:

• Office 365 E5
• Microsoft 365 E5
• Microsoft 365 E5 Compliance
• Microsoft E5/A5 Information Protection and Governance

To learn more about DLP licensing, see Microsoft 365 licensing guidance for security & compliance.

Configure notifications for EDM activities

1. Connect to the Security & Compliance PowerShell.

2. Run the New-ProtectionAlert cmdlet using the activity that you want to create the notification for. For example, if you want to be notified when the UploadDataCompleted action occurred, run:

   New-ProtectionAlert -Name "EdmUploadCompleteAlertPolicy" -Category Others -NotifyUser <address to send notification to> -ThreatType Activity -Operation UploadDataCompleted -Description "Custom alert policy to track when EDM upload Completed" -AggregationType None
   

   For the UploadDataFailed you can run:

   New-ProtectionAlert -Name "EdmUploadFailAlertPolicy" -Category Others -NotifyUser <SMTP address to send notification to> -ThreatType Activity -Operation UploadDataFailed -Description "Custom alert policy to track when EDM upload Failed" -AggregationType None -Severity High
   

Related articles

• Learn about exact data match based sensitive information types
• New-ProtectionAlert