Forum Discussion
Unknown DLP Policies Triggering IRM Alerts
Two unknown DLP policies are triggering high severity IRM alerts, and these policies are not showing in our DLP policy list.
The policies names are:
- FileCopiedToRemovableMedia (Preview)
- FileUploadedToCloud (Preview)
Additionally, there are no associated events in Activity Explorer. These alerts are causing confusion with our Security operations because they result in Sentinel incidents.
3 Replies
Could you please check if this setting is turned ON in your tenant? If so, that’s most likely what’s generating those alerts.
You can find it here:
Microsoft Purview → Data Loss Prevention → Endpoint DLP Settings → “Always audit file activity for devices”If you don’t want to see these alerts, you can either:
- Turn off Always audit file activity for devices, or
- Scope Endpoint DLP to specific device groups instead of “All devices”
Hello DrSardonicus,
If not under DLP,
I think these could be policies under Purview-->Insider Risk Management--> Policies
Another option, look under Purview --> Communication Compliance -->Policies
GökselATAKAN SnailyTech Thank you very much for your replies. Neither of these recommendations applied in our case. Turns out, the PG is testing some new default (Preview) DLP policies, and these policies were triggering our IRM policies, although the Preview DLP policies cannot be viewed or modified. We have since learned that the PG is removing them from our tenancy (and hopefully others, as well).
