Forum Discussion

ItsKJ11's avatar
ItsKJ11
Copper Contributor
Jul 23, 2024

Crowdstrike Agent with Microsoft Purview DLP

Could we use CrowdStrike as the main (Active) EDR while also enrolling the same machine into the agent-based Purview DLP? We have currently deployed MDE (passive) through the MDE Portal Onboarding, with RTP (Real-Time Protection) and BM (Behavioral Monitoring) enabled in the policy settings.


While testing policies against user devices, we are unable to generate any alerts that match a rule based on conditions (e.g. PII, CC Data - where a user tries to copy and print sensitive information in a document), and the action based on the rule should be to BLOCK. This is not happening because there seems to be a disconnect from the workstation receiving the policies from Purview.

4 Replies

Sort By
  • miller34mike's avatar
    miller34mike
    Icon for Microsoft rankMicrosoft
    Dec 05, 2024

    Hi ItsKJ11 

    Thanks for posting your question here. Yes, Endpoint DLP with Microsoft Purview will and does work when you are using CrowdStrike as the primary EDR solution on your devices. As noted, you have Defender in passive mode, however, RealTimeProtection must be ACTIVE on the device. You can confirm this by running Get-MpComputerStatus and making sure it says TRUE.

     

    Also, the devices must be onboarded to Microsoft Purview as well. Since you onboarded to MDE first, this is just a simple switch. Confirm this has been done by going to Settings > Device Onboarding > and make sure device onboarding has been enabled. Once you do this, if it was not already enabled, it will take a bit for the devices to onboard and start receiving the policies.

    Microsoft Purview DLP – Part 2 – Endpoint DLP – Cloudy Security

    • techjunk's avatar
      techjunk
      Brass Contributor
      Dec 10, 2024

      It appears our issue is our CrowdStrike deployment policy disables needed Defender components for DLP functionality. We are digging into this now with our CS administrator. 

  • Anders Olsson's avatar
    Anders Olsson
    MVP
    Dec 05, 2024

    If you connect Crowdstrike to Microsoft Sentinel you have the ability to create custom detection with Microsofts connected services like Purview and Entra and with that trigger flows. For instance if a risky device exfiltrate content.

  • techjunk's avatar
    techjunk
    Brass Contributor
    Dec 04, 2024

    Did you ever get any feedback on this issue? We are testing Purview and see the same issue with endpoint DLP policies. 

    At this point we have an open ticket with Microsoft and just waiting for useful information. 

    Thanks

Resources