Forum Discussion
DLP rule to monitor bulk export or downloads
Is there a way to create a dlp rule in purview to trigger when bulk documents are being downloaded or exported
I believe your requirements can be addressed using Insider Risk Management, specifically through the Data Leaks policy. You can configure triggering events, such as "downloading files from a SharePoint Online site" exceeding a certain threshold or uploading files to the web. This setup will generate an Insider Risk Management alert, enabling the system to monitor the flagged user's activity over a defined past and future period for the specific indicators you select.
2 Replies
What you also can do is to configure alert rule per DLP policy that for instance trigger an incident when more than X number of files has been exported. My favorite is also to combine this with Entra and Defender to see if we have risky users/devices that exfiltrate content. This can be done by custom KQL based on combination from DLP/MIP, Entra and Defender
I believe your requirements can be addressed using Insider Risk Management, specifically through the Data Leaks policy. You can configure triggering events, such as "downloading files from a SharePoint Online site" exceeding a certain threshold or uploading files to the web. This setup will generate an Insider Risk Management alert, enabling the system to monitor the flagged user's activity over a defined past and future period for the specific indicators you select.
