Customers rely on Microsoft Data Loss Prevention(DLP) to enforce policies that identify and prevent risky or inappropriate sharing, transfer or use of sensitive information across cloud, on-premise and endpoints. Alerts, which can be configured as a part of the DLP policy authoring experience are an effective tool for customers to get notified whenever a DLP policy is violated.
Microsoft announces the General Availability of the Microsoft Data Loss Prevention Alerts Dashboard. This latest addition in the Microsoft’s data loss prevention solution provides customers with the ability to holistically investigate DLP policy violations across :
On-premises file shares
Advance alert configuration options are available in the existing DLP policy configuration flow. These provide eligible DLP customers with the ability to tailor how they organize DLP policy alerts along with exhaustive information that they need to investigate and address DLP policy violations quickly. Historical workflow information for alerts is available in the Management log.
The alerts dashboard provides a list view of all DLP alerts and clicking on an alert will display the relevant details.
Figure 1 : Data Loss Prevention Alerts Dashboard
Clicking on ‘View Details’ will display the alert page with exhaustive information associated with the DLP policy violation, ability to change alert status (Active, Investigating, Dismissed or Resolved), include additional comments and define workflow actions such as assigning alerts to individuals for follow up.
Figure 2 : Alert details with manage alert options
Clicking on the ‘Events’ tab will display the actual user activity along with details including :
Source view (requires E5 or related subscriptions) : This will allow customers to view the email or the file involved in the DLP policy alert. Source view in the DLP Alerts Dashboard will be available for content(email/files) belonging to the following workloads :
Exchange (Email body only)
This feature is available only for licenses in the following subscriptions :
- Microsoft 365 (E5)
- Office 365 (E5)
- Advanced Compliance (E5) add-on
- Microsoft 365 E5/A5 Info Protection & Governance
- Microsoft 365 E5/A5 Compliance
Matched sensitive terms and context : This will allow customers to view the sensitive terms in the content due to which the DLP policy was violated. You will also be able to view up to 300 characters surrounding the detected sensitive term. This information will be available for detections for the following workloads :
Exchange (both email body and attachments)
For both features : Source View and Matched sensitive terms and context, the role group “Content Explorer Content Viewer” should be assigned. This role group has the role “data classification content viewer” pre-assigned.
Figure 3 : Exhaustive metadata for each user event
Figure 4 : View the content of the email(body) or file
Figure 5 : View matched sensitive terms and surrounding characters
Microsoft’s DLP solution is part of a broader set of Information Protection and Governance solutions that are part of the Microsoft 365 Compliance Suite. You can sign up for a trial of Microsoft 365 E5 or navigate to the Microsoft 365 compliance center to get started today.
For more information on DLP Alerts Management, please this and this
For more information on Data Loss Prevention, please see this