Manage DLP alerts in the Microsoft Purview compliance portal
As noted earlier, part of the DLP policy creation process involves determining if you want to notify anyone when policies are triggered. You make those choices for each DLP policy rule you create. These alerts are displayed in the DLP Alerts dashboard. The alerts are governed by settings you configure in the Incident reports section of each data loss prevention policy rule. You can use the dashboard to both view and manage alerts.
You have flexibility in defining when alerts are sent. One option is to send an alert every time an activity matches the rule. A second option is to only send the alert when a threshold, like the number of times the policy was violated, or the volume of data reaches a specific threshold.
The image shows the portion of the DLP policy rule configuration process where you specify incident reports. The configuration sends an email to johannal@<tenant>.onmicrosoft.com and adds an alert to the DLP Alerts dashboard. Anyone with the rights to view DLP alerts will see the alert on the dashboard. Only the user(s) listed under Send and alert to admins when a rule match occurs will receive the email.
An email is produced and sent to johannal@<tenant>.onmicrosoft.com when the high-severity alert has been triggered based on the configuration. In this case, the activity that triggered the high-severity alert was a DLP policy. The policy included a rule with an endpoint DLP setting to trigger enforcement when content containing sensitive data was uploaded to the cloud.
When you select View Alert Details in the notification, you see the DLP Alerts view in the compliance portal. Select the event that prompted the alert. (You can also get to the alerts by going to Data loss prevention > Alerts). You can also now manage your DLP alerts in the Microsoft 365 Security Unified Alerts List with more tools to investigate and remediate alerts at the instance level.
In this case, we see that the event was a file that included a high volume of U.K. financial data was copied to the cloud. The administrator can initiate a workflow to manage each alert to resolution and/or send an email to another user informing them of the DLP policy violation.