Investigate data loss prevention alerts with Microsoft Sentinel

Applies to:

• Microsoft Defender XDR
• Microsoft Sentinel

Before you start

See, Investigate data loss prevention alerts with Microsoft Defender XDR for more details.

DLP investigation experience in Microsoft Sentinel

You can use the Microsoft Defender XDR connector in Microsoft Sentinel to import all DLP incidents into Sentinel to extend your correlation, detection, and investigation across other data sources and extend your automated orchestration flows using Sentinel's native SOAR capabilities.

1. Follow instructions on Connect data from Microsoft Defender XDR to Microsoft Sentinel to import all incidents including DLP incidents and alerts into Sentinel. Enable CloudAppEvents event connector to pull all Office 365 audit logs into Sentinel.

   You should be able to see your DLP incidents in Sentinel once the above connector is set up.

2. Select Alerts to view the alert page.

3. You can use AlertType, startTime, and endTime to query the CloudAppEvents table to get all the user activities that contributed to the alert. Use this query to identify the underlying activities:

Kusto

let Alert = SecurityAlert
| where TimeGenerated > ago(30d)
| where SystemAlertId == ""; // insert the systemAlertID here
CloudAppEvents
| extend correlationId1 = parse_json(tostring(RawEventData.Data)).cid
| extend correlationId = tostring(correlationId1)
| join kind=inner Alert on $left.correlationId == $right.AlertType
| where RawEventData.CreationTime > StartTime and RawEventData.CreationTime < EndTime

Related articles

• Incidents overview
• Prioritize incidents
• Manage incidents

เคล็ดลับ

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.