Forum Discussion
chagedorn
Oct 24, 2024Brass Contributor
Purview DLP Override Email Notification for Admins
We know that our admins can go into the alerts in Purview and see if a user has chosen to override a DLP policy, but is there a way to set up email notification to individuals when a user clicks Override in the policy tip and chooses to override the block? So, in the attached "Override window.png" file, once they click the Override button, security admins are alerted via email immediately?
- AlikocIron ContributorHi,
It is possible to set up email notifications for administrators when a user overrides a DLP policy in Microsoft Purview.
To do this, go to the Microsoft Purview Compliance Center and select Data Loss Prevention (DLP) from the Solutions section on the left-hand side. In the DLP section, navigate to Alerts (or directly to Alert Policies). If there isn’t already an alert policy for DLP overrides, click + Create Alert Policy to define a new one.
In this step, name the alert policy (for example, "DLP Override Notifications") and set the category as Data Loss Prevention. Choose a severity level (e.g., High, Medium) depending on how critical the override action is for your organization, and define the users or groups to which the policy should apply. For the activity, specify that the alert should trigger when users override DLP policy tips, ensuring that the action is set to Override. In the Notification Recipients section, enter the email addresses of the individuals or groups (such as security admins) who should receive email alerts whenever a user overrides a DLP policy.
Next, configure the notification frequency, and for real-time alerts, select the "Notify immediately" option. After configuring all the details, save the alert policy. From this point on, whenever a user chooses to override a DLP block, the specified admins will receive an email notification with the event details.
Best Regards,
Ali Koc- chagedornBrass ContributorThank you so much for the thorough explanation. If I go to Purview > Solution > DLP > Alerts, all I see are alert results with a time range and the option to Export.
If I go to Purview > Solutions > DLP > Policies, I can click "Create policy", but this is obviously just a new DLP policy, not an Alert policy.
Now if I click Alerts from the top navigation and get redirected to Defender, this is where I see "New Alert Policy". However, when I create a new alert there, I do not see an activity for override. The closest activity I can find is "DLP policy match", and if I choose that, I can't get to a point where I can find a subcategory or action for a user overriding the policy.
Do you see an override action in your "Activity is..." dropdown menu?