Get started with the data loss prevention Alerts dashboard

Microsoft Purview Data Loss Prevention (DLP) policies can take protective actions to prevent unintentional sharing of sensitive items. You can be notified when an action is taken on a sensitive item by configuring alerts for DLP. This article shows you how to configure alerts in your data loss prevention (DLP) policies. You'll see how to use the DLP alert management dashboard in the Microsoft Purview portal to view alerts, events, and associated metadata for DLP policy violations.

If you're new to DLP alerts, you should review Get started with the data loss prevention alerts.

Tips

Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.

Microsoft Purview portal shows alerts for DLP policies that are enforced on the following workloads:

• Exchange email
• SharePoint sites
• OneDrive accounts
• Teams chat and channel messages
• Devices
• Instances
• On-premises repositories
• Fabric and Power BI

Tips

Another tool you can use to help triage alerts it Microsoft Security Copilot. Security Copilot is a cloud-based AI platform that can assist security and compliance professionals in protecting their organization's data. You can use it to summarize Microsoft Purview alerts, triage alerts and to drill down into your Microsoft Puview data. It is available in the DLP Alerts dashboard and in Data Security Posture Management (preview).

Before you begin

Before you begin, make sure you have the necessary prerequisites:

• Licensing for the DLP alerts management dashboard
• Licensing for alert configuration options
• Required roles

Licensing for the DLP alert management dashboard

Before you start using DLP policies, confirm your Microsoft 365 subscription and any add-ons.

For information on licensing, see Microsoft 365, Office 365, Enterprise Mobility + Security, and Windows 11 Subscriptions for Enterprises.

Customers who use Endpoint DLP who are eligible for Teams DLP see their endpoint DLP policy alerts and Teams DLP policy alerts in the DLP alert management dashboard.

Licensing for alert configuration options

Before you start using DLP policies, confirm your Microsoft 365 subscription and any add-ons.

For information on licensing, see Microsoft 365, Office 365, Enterprise Mobility + Security, and Windows 11 Subscriptions for Enterprises.

Roles and Role Groups

If you want to view the DLP alert management dashboard or to edit the alert configuration options in a DLP policy, you must be a member of one of these role groups:

• Compliance Administrator
• Compliance Data Administrator
• Security Administrator
• Security Operator
• Security Reader
• Information Protection Admin
• Information Protection Analyst
• Information Protection Investigator
• Information Protection Reader

To learn more about them, see Permissions in the Microsoft Purview compliance portal

Here's a list of applicable role groups. To learn more about them, see Permissions in the Microsoft Purview compliance portal.

• Information Protection
• Information Protection Admins
• Information Protection Analysts
• Information Protection Investigators
• Information Protection Readers

To access the DLP alert management dashboard, you need the Manage alerts role and either of these two roles:

• DLP Compliance Management
• View-Only DLP Compliance Management

To access the Content preview feature and the Matched sensitive content and context features, you must be a member of the Content Explorer Content Viewer role group, which has the Data classification content viewer role preassigned.

DLP alert configuration

To learn how to configure an alert in your DLP policy, see Create and Deploy data loss prevention policies.

Viktig

Your organization's audit log retention policy configuration controls how long an alert remains visible in the console. See, Manage audit log retention policies for more information.

Aggregate event alert configuration

If your organization is licensed for aggregated alert configuration options, then you see these options when you create or edit a DLP policy.

This configuration allows you to set up a policy to generate an alert every time an activity matches the policy conditions or when a certain threshold is exceeded, based on the number of activities or based on the volume of exfiltrated data.

Single event alert configuration

If your organization is licensed for single-event alert configuration options, then you see these options when you create or edit a DLP policy. Use this option to create an alert that's raised every time a DLP rule match happens.

Investigate a DLP alert

Select the appropriate tab for the portal you're using. Depending on your Microsoft 365 plan, the Microsoft Purview compliance portal is retired or will be retired soon.

To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

Microsoft Purview portal

To work with the DLP alert management dashboard:

1. Sign in to the Microsoft Purview portal > Data loss prevention.
2. Select Alerts to view the DLP Alerts dashboard.
3. Use the Filter fields to refine the list of alerts.
4. Choose Customize columns to list the properties you want to see.
5. To sort the results in ascending or descending order, double-click the column header.
6. Double-click an alert for more information about it.
7. The Details tab opens by default and provides high-level information about the alert.
8. Select Summarize with Copilot. This causes the Security Copilot to generate a summary of the alert. The alert summary will contain the:
   • alert severity
   • alert title
   • the name of the policy that was matched
   • the name file involved and a link to the file
   • alert status
   • the email address of the user who performed the action that matched the policy
9. Select the ellipsis in the Security Copilot summary to:
   • copy the summary to the clipboard
   • regenerate the summary
   • open the alert in the Security Copilot standalone experience.
10. Select View details to open the Overview tab. The Overview tab provides a summary of the following information:
    • What happened
    • Who performed the actions that caused the policy match
    • Additional information about the policy match
11. The Events tab lists all of the events associated with the alert. Select any event in the list to get detailed information about the event. For each event, choose the Actions drop down for a list of actions you can take on the alert, such as verifying whether or not the alert has identified a true match or a false positive.
    1. The User activity summary tab requires that sharing be turned On in the insider risk management settings Once enabled, the User activity summary tab provides all the exfiltration activities the user has engaged in (up to the past 120 days). Users must be in scope of an insider risk management policy to see the User activity summary tab.
    2. After you investigate the alert, return to the Overview tab where you can View details to triage and manage the disposition of the alert, add comments and assign ownership of the alert. (To see the history of workflow management.)
    3. After you take the required action for the alert, set the Status of the alert to Resolved.

Compliance portal

To work with the DLP alert management dashboard:

1. In the Microsoft Purview compliance portal, navigate to Data loss prevention and select Alerts.

2. Choose Customize columns to list the properties you want to see. You can also choose to sort the alerts in ascending or descending order in any column.

3. Choose Apply.

4. Select View details to open the Overview page for the alert. The overview page provides a summary that identifies:

   • what happened
   • who performed the actions that caused the policy match
   • information about the matched policy
   1. Select the Events tab to view all of the events associated with the alert. The tabs on this page provide information on the:
      • Source content involved
      • Details of the event
      • Classifiers that detected a match
      • File activity details
      • Metadata associated with the event

   Viktig

   None can mean either that the user is not in the scope of an insider risk management policy or that the user has not engaged in any exfiltration activities in up to the past 120 days. Users must be in scope of an insider risk management policy to see the Insider risk severity column.

   1. Select an alert to see the details.
   2. In the Alert details pane, you can select Get a summary from Security Copilot. This causes the Security Copilot to generate a summary of the alert. The alert summary will contain the:
      1. alert severity
      2. alert title
      3. the name of the policy that was matched
      4. the name file involved and a link to the file
      5. alert status
      6. the email address of the user who performed the action that matched the policy
   3. Select the ellipsis in the Security Copilot summary to:
      1. copy the summary to the clipboard
      2. regenerate the summary
      3. open the alert in the Security Copilot standalone experience.

5. Select any Actions you want to take on the file.

6. After you investigate the alert, return to the Overview tab where you can triage and manage the disposition of the alert, add comments, and assign ownership of the alert.

   1. To see the history of workflow management, choose Management log.
   2. After you take the required action for the alert, set the status of the alert to Resolved.

Create a shareable link to an alert event

Users with the appropriate permissions can view Microsoft Purview Data Loss Prevention (DLP) alerts in the DLP Alerts console. However, as alerts are triaged and investigated, you may want to share alert events with users who don't have access to DLP and the alerts console. In preview, you can create a shareable link to an alert event:

1. In the Purview Portal, navigate to Data Loss Prevention, and then select Alerts.
2. Select an alert, and then select View details.
3. On the Alert details screen, select the Events tab just below the alert title to view the events contained in this alert.
4. Select the event you want to share, and then click the Actions button at the bottom of the screen to see the Actions menu.
5. Select Copy event link, and then select Copy to copy the shareable link to the event.
6. Now you can paste the link from your clipboard to share the link via chat, email, or other means.

Other matched conditions

Microsoft Purview supports showing matched conditions in a DLP event to reveal the exact cause for a flagged DLP policy. This information shows up in:

• DLP Alerts console
• Activity explorer
• Microsoft Defender for Business portal

In the Events tab, open Details to see Other matched conditions.

Prerequisites

• Must be running Windows 10 x64 (build 1809 or later) or Windows 11.
  • See March 21, 2023—KB5023773 (OS Builds 19042.2788, 19044.2788, and 19045.2788) Preview for required minimum Windows Operating System builds.
• Matched conditions data is available for valid E3 and E5 license holders.
• Enable Auditing.
• Enable Advanced classification scanning and protection.

Matched events information is supported for these conditions

Condition	Exchange	Sharepoint	Teams	Endpoint
Sender is	Yes	No	Yes	No
Sender domain is	Yes	No	Yes	No
Sender address contains words	Yes	No	No	No
Sender address matches patterns	Yes	No	No	No
Sender is a member of	Yes	No	No	No
Sender IP address is	Yes	No	No	No
Has sender overridden the policy tip	Yes	No	No	No
SenderAdAttribute Contains words	Yes	No	No	No
SenderAdAttribute Matches patterns	Yes	No	No	No
Recipient is	Yes	No	Yes	No
Recipient domain is	Yes	No	Yes	No
Recipient address contains words	Yes	No	No	No
Recipient address matches patterns	Yes	No	No	No
Recipient is a member of	Yes	No	No	No
RecipientAdAttribute Contains words	Yes	No	No	No
RecipientAdAttribute Matches patterns	Yes	No	No	No
Document is password protected	Yes	No	No	No
Document could not be scanned	Yes	No	No	No
Document did not complete scanning	Yes	No	No	No
Document name contains words	Yes	Yes	No	No
Document name matches patterns	Yes	No	No	No
Document property is	Yes	Yes	No	No
Document size over	Yes	Yes	No	No
Document content contains words	Yes	No	No	No
Document content matches patterns	Yes	No	No	No
Document type is	No	No	No	Yes
Document extension is	Yes	Yes	No	Yes
Content is shared from M365	Yes	Yes	Yes	No
Content is received from	Yes	No	No	No
Content character set contains words	Yes	No	No	No
Subject contains words	Yes	No	No	No
Subject matches patterns	Yes	No	No	No
Subject or body contains words	Yes	No	No	No
Subject or body matches patterns	Yes	No	No	No
Header contains words	Yes	No	No	No
Header matches patterns	Yes	No	No	No
Message size over	Yes	No	No	No
Message type is	Yes	No	No	No
Message importance is	Yes	No	No	No

Limitation when downloading emails from within a DLP alert

In general, when using the DLP alert management dashboard, you can download specific emails from within an alert. However, emails that have been deleted in any of the following scenarios can't be downloaded.

Sender	Recipient	Email Status
Internal	External	Deleted by sender
External	Internal	Deleted by recipient
Internal	Internal	Deleted by both parties

Additional Alert investigation tools

• Get started with data loss prevention alerts
• Share data loss prevention alerts (preview)
• Get started with activity explorer
• Learn about Data Security Posture Management (preview)