Deep Dive: DLP Incidents, Alerts & Events - Part 2

Alerts Overview

Like the Incidents, alerts also provide comprehensive information such as severity, status, category etc. to help users understand and navigate efficiently. In addition to these standard details, the alert view also displays the correlation reason, which is particularly beneficial for security analysts and administrators. The correlation reason explains why an alert is linked to a particular incident or other alerts, helping users trace how different pieces of suspicious activity are connected. By understanding the correlation reason, users can better assess the scope and impact of security issues, streamline investigations, and take more effective remediation actions, ultimately improving the overall security posture of the organisation

Figure 1: DLP alert filter

Alert Details

The details page is divided into two sections.

The section on the left presents information regarding Impacted Users and Devices (for Endpoints), including details such as the alert story, policy description, matched sensitive information, and its count. It also displays related events with detection time and location (such as Exchange or Endpoint).

Figure 2: Alert details page

The right pane lets you view alert status, details, manage the alert, or move it to another incident. It shows evidence (entity details like IP, user, device), policy info, incident details, correlation reasons, plus alert comments, history, and a timeline.

Figure 3: Alert details right pane

Event Details

Now that we understand incidents and alerts, let's review events. Events offer detailed information about activity. Below is a brief description of each section for reference.

Figure 4: Event details sections

Details

Event Details

• Event ID: A unique identifier assigned to each event. It can be used to associate the event with corresponding DLP rule match activity within the Activity Explorer.
• Location: Specifies where the activity occurred, such as Exchange, Devices, etc.
• Time of Activity: Indicates the exact time at which the event took place.

Impacted Entities:

• Hostname: The name of the device where the DLP event occurred.
• IP Address: The IP address of the device or client involved in the event.
• Application: The app or service used during the event (e.g., Edge, Outlook, Teams).
• File Name: The name of the file involved in the DLP violation.
• File Path: The full directory path where the file was located or accessed.
• File Extension: The file type suffix (e.g., .docx, .pdf) indicating format.
• Sha1: A SHA-1 hash value used to uniquely identify the file.
• Sha256: A SHA-256 hash value offering stronger file identification.
• File Type: The type of the file (e.g., document, spreadsheet, image).
• File Size: The size of the file in bytes or megabytes.
• RMS Encrypted: Indicates whether the file is protected using Rights Management Services.
• MDATP Device ID: A unique identifier for the device from Microsoft Defender for Endpoint.
• Client Country: The geographic location of the client device based on IP.
• Client IP Location: More granular geolocation data derived from the client IP address.
• Target Domain: The destination domain involved in the data transfer (e.g., external email or cloud service).
• Evidence File: A copy or reference to the file that triggered the DLP event, used for investigation.
• Hunt & Monitor:
  • Hunt All Sensitive Content Activity by Device: Displays all sensitive data interactions per device, useful for device-level threat hunting.
  • Activity by User: Shows user-specific actions involving sensitive content, helping identify insider risks.
  • DLP Violations for Last 30 Days: Summarizes all DLP policy violations over the past month for trend analysis and compliance tracking.

 User & Role Info: Displays the user detail and the role assigned to the user. 

 Policy Details:

• DLP Policy Matched: The specific DLP policy that was triggered by the event, based on organizational data protection rules.
• Rule Matched: The exact rule within the DLP policy that was violated (e.g., sharing sensitive data externally).
• Sensitive Info Types Detected: Lists predefined or custom sensitive information types (e.g., credit card numbers, health records) found in the content. You can click on the SIT to view more information such as count by confidence levels, matched content and surrounding text.
• Trainable Classifiers Detected: Lists AI-based classifiers that identify sensitive content based on context and user behavior (e.g., source code, resumes).
• Violating Action: The user action that caused the violation (e.g., copy to USB, email to external domain, print, upload to cloud).
• Enforcement Mode: Indicates whether the policy is in audit, block/warn, override/warn & bypass mode—defining how the system responds to violations.
• Override Justification Text: If a user overrides a policy block, this field captures their justification or reason.
• Sensitive Information Type: A more detailed view of the specific sensitive data detected (e.g., “India Aadhaar Number”, “EU Passport Number”).

Source

This tab enables users to preview content intended for exfiltration, including files or emails. The Actions tab allows authorised users to download the specified content.

Note: Previewing or downloading content requires that the administrator or analyst possesses the appropriate role permissions.

Sensitive Info Types

Lists predefined or custom sensitive information types found in the content with matched content and surrounding text info.

Trainable Classifiers

Lists Trainable Classifiers and their details.

Metadata

Provides the detailed metadata in simple txt format.

Hope this helps!