Organizations across the world want to efficiently investigate and remediate data loss prevention incidents across all locations in their digital estate. This blog provides guidance for choosing the best investigation experience suited for your organization when using Microsoft Purview Data Loss Prevention.
As an analyst or investigator, you can perform exhaustive DLP investigations in both Microsoft 365 Defender portal and Microsoft Sentinel. Sentinel provides built-in as well as custom capabilities to tailor to more advanced scenarios.
Key benefits of Microsoft 365 Defender:
Key benefits of Microsoft Sentinel:
You should select the solution that meets your needs. Below are the capabilities available.
|
Microsoft 365 Defender |
Microsoft Sentinel |
Triaging |
Immediately start triaging incidents and use tags, comments, and other features to structure your incident management. You should be utilizing the Incidents page in the Microsoft Defender portal to manage your DLP alerts. |
Leverage the Microsoft 365 Defender connector in Microsoft Sentinel to pull DLP incidents into Sentinel for DLP investigations. To extend the triaging experience additional data can be ingested and displayed as part of the investigation. For example the logs from an interception proxy can be shown inline in the triaging experience.
|
Investigation |
|
|
Correlation |
Immediately start triaging DLP incidents with correlation of Defender alerts |
By using custom Azure Sentinel analytic rules you can correlate with 3rd party systems. |
Incident updates and tracking |
Alerts are grouped in Incidents. |
Supports Tagging, Status, Classifications, comments and multi select on filter to update, rules can stamp Tags, update status, severity, owner and call on playbooks in various stages. Alerts are grouped in incidents. |
Remediation Actions |
Immediately start using the built-in actions.
|
Sentinel can be extended to use Automation actions on top of incidents. Sentinel allows for a high degree of customization. Actions run can be integrated to update the incident based on completion. Integration with other systems can be done via Logic Apps that support integration with many providers Connector reference overview | Microsoft Learn.
Example of ready Playbooks can be found here Azure-Sentinel/Playbooks at master · Azure/Azure-Sentinel · GitHub
|
Reporting |
|
|
Retention of Incidents |
6 months |
2 years built-in support, archive 7 years Configure data retention and archive in Azure Monitor Logs (Preview) - Azure Monitor | Microsoft Lea... |
Microsoft Purview DLP provides several approaches to triage and respond to DLP incidents. In this guide we have covered the Microsoft-recommended unified incident queue in Microsoft 365 Defender portal for DLP investigations. In addition, we have also covered key considerations when choosing the right tool for your needs. You can work with your analyst or SOC team to tune the way you handle and investigate DLP incidents.
Get started with the following articles about data loss prevention investigation :
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.