Blog Post

Microsoft Security Community Blog
4 MIN READ

Advanced Incident Management for Office and Endpoint DLP using Azure Sentinel

Jon_Nordstrom's avatar
Jon_Nordstrom
Icon for Microsoft rankMicrosoft
Oct 26, 2020
A common question we get from organizations that use Microsoft Information Protection is, how can we receive a single pane of glass across not only DLP and other information protection events but cor...
Updated Nov 03, 2021
Version 5.0
data loss prevention
microsoft 365
microsoft sentinel
Jon_Nordstrom's avatar
Jon_Nordstrom
Icon for Microsoft rankMicrosoft
Oct 28, 2020

Hi Peter, I love your question.  The benefit with placing it in SPO is that the content is fully audited. You can quickly run a query on OfficeActivity in Sentinel to return access down to item level.  In the case of a DSR's you know where the DLP data is stored for AeD, which may be harder for PST. Optionally you can also apply Sensitivity labels, retention labels or extend with additional metadata to the content. The logic app can also be used to set permissions to items being stored. Generally ensure that all external sharing capabilities etc... are disabled for the site collection. Restrict permissions to the site collectionrequire MFA etc...

Most privacy regulations comes down to transparency and proportionality when it comes to DLP (I know over simplified). This approach provides transparency, the decision if collecting content on detection is more on the proportionality side and is fully controlled by your team. A really good and important subject that we are taking in to consideration for our product planning. 

 

Thank you