Forum Discussion
DLP rule to monitor bulk export or downloads
Is there a way to create a dlp rule in purview to trigger when bulk documents are being downloaded or exported
I believe your requirements can be addressed using Insider Risk Management, specifically through the Data Leaks policy. You can configure triggering events, such as "downloading files from a SharePoint Online site" exceeding a certain threshold or uploading files to the web. This setup will generate an Insider Risk Management alert, enabling the system to monitor the flagged user's activity over a defined past and future period for the specific indicators you select.
- Joseph-BerbaryCopper Contributor
I believe your requirements can be addressed using Insider Risk Management, specifically through the Data Leaks policy. You can configure triggering events, such as "downloading files from a SharePoint Online site" exceeding a certain threshold or uploading files to the web. This setup will generate an Insider Risk Management alert, enabling the system to monitor the flagged user's activity over a defined past and future period for the specific indicators you select.
What you also can do is to configure alert rule per DLP policy that for instance trigger an incident when more than X number of files has been exported. My favorite is also to combine this with Entra and Defender to see if we have risky users/devices that exfiltrate content. This can be done by custom KQL based on combination from DLP/MIP, Entra and Defender