Forum Discussion
Unknown DLP Policies Triggering IRM Alerts
Two unknown DLP policies are triggering high severity IRM alerts, and these policies are not showing in our DLP policy list.
The policies names are:
- FileCopiedToRemovableMedia (Preview)
- FileUploadedToCloud (Preview)
Additionally, there are no associated events in Activity Explorer. These alerts are causing confusion with our Security operations because they result in Sentinel incidents.
2 Replies
Could you please check if this setting is turned ON in your tenant? If so, that’s most likely what’s generating those alerts.
You can find it here:
Microsoft Purview → Data Loss Prevention → Endpoint DLP Settings → “Always audit file activity for devices”If you don’t want to see these alerts, you can either:
- Turn off Always audit file activity for devices, or
- Scope Endpoint DLP to specific device groups instead of “All devices”
Hello DrSardonicus,
If not under DLP,
I think these could be policies under Purview-->Insider Risk Management--> Policies
Another option, look under Purview --> Communication Compliance -->Policies
