Forum Discussion

VAloine's avatar
VAloine
Copper Contributor
Nov 28, 2024

DLP rule to monitor bulk export or downloads

Is there a way to create a dlp rule in purview to trigger when bulk documents are being downloaded or exported

  • I believe your requirements can be addressed using Insider Risk Management, specifically through the Data Leaks policy. You can configure triggering events, such as "downloading files from a SharePoint Online site" exceeding a certain threshold or uploading files to the web. This setup will generate an Insider Risk Management alert, enabling the system to monitor the flagged user's activity over a defined past and future period for the specific indicators you select.

  • Joseph-Berbary's avatar
    Joseph-Berbary
    Copper Contributor

    I believe your requirements can be addressed using Insider Risk Management, specifically through the Data Leaks policy. You can configure triggering events, such as "downloading files from a SharePoint Online site" exceeding a certain threshold or uploading files to the web. This setup will generate an Insider Risk Management alert, enabling the system to monitor the flagged user's activity over a defined past and future period for the specific indicators you select.

  • What you also can do is to configure alert rule per DLP policy that for instance trigger an incident when more than X number of files has been exported. My favorite is also to combine this with Entra and Defender to see if we have risky users/devices that exfiltrate content. This can be done by custom KQL based on combination from DLP/MIP, Entra and Defender

Resources