Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Guidance for investigating Microsoft Purview Data Loss Prevention incidents
Published Feb 06 2023 09:00 AM 8,141 Views

Organizations across the world want to efficiently investigate and remediate data loss prevention incidents across all locations in their digital estate. This blog provides guidance for choosing the best investigation experience suited for your organization when using Microsoft Purview Data Loss Prevention.


Recommended guidance

  1. Microsoft Purview Data Loss Prevention (DLP) team recommends using the Microsoft 365 Defender experience for DLP alert investigations. You can learn more here: Investigate data loss incidents with Microsoft 365 Defender | Microsoft Docs
  2. If you are currently using the Microsoft Purview compliance portal for DLP investigations, we recommend investigating DLP in the Microsoft 365 Defender incident queue for an enhanced experience.
  3. For advanced incident management needs such as reporting and automated workflows Sentinel can be used. This will however require custom expertise to create playbooks and custom reports.

As an analyst or investigator, you can perform exhaustive DLP investigations in both Microsoft 365 Defender portal and Microsoft Sentinel. Sentinel provides built-in as well as custom capabilities to tailor to more advanced scenarios.


Benefits of Microsoft 365 Defender and Microsoft Sentinel

Key benefits of Microsoft 365 Defender:

  • Improved triaging experience, including tagging, filtering, and bulk actions on incidents.
  • Advanced hunting provides the ability to query raw compliance and security data to proactively detect known and potential risks in your organization as well as visualize the attack chain
  • Unified dashboard with a single incident queue for viewing all your DLP alerts for SOC/DLP team investigations
  • Intelligent intra-solution (DLP-DLP) correlations under a single incident and inter-solution correlations between security (MDE, MDO, etc.) and DLP incidents
  • Filtering options include DLP policy name, date, service source, incident status, and user plus more on the unified incident queue and the ability to associate custom tags with DLP incidents for custom filtering.
  • Built-in remediation actions on users, files, and devices such as labelling files, removing violating e-mails, or resetting user account credentials.

Key benefits of Microsoft Sentinel:

  • Single pane of glass with the ability to pull in signals from 1st party sources leveraging native connectors such as the Microsoft 365 Defender connector in Microsoft Sentinel to pull DLP incidents and 3rd party sources such as Google, AWS, JIRA, etc. for investigation and remediation in Microsoft Sentinel.
  • Custom analytic rules can be used to create alerts based on data from across various systems.
  • Workbooks can be used to create reports, the reports can be fully customized to measure KPI’s. By utilizing watchlists or UEBA, additional organizational context can be added.
  • Automation workflows for incident management can be used to collect feedback from line managers and users who violated policies. It is also possible to create custom actions like collecting evidence, initiating content searches, or setup integration with 3rd party systems.

What fits my investigation needs?

You should select the solution that meets your needs. Below are the capabilities available.



Microsoft 365 Defender

Microsoft Sentinel


Immediately start triaging incidents and use tags, comments, and other features to structure your incident management. You should be utilizing the Incidents page in the Microsoft Defender portal to manage your DLP alerts.

Leverage the Microsoft 365 Defender connector in Microsoft Sentinel to pull DLP incidents into Sentinel for DLP investigations. To extend the triaging experience additional data can be ingested and displayed as part of the investigation. For example the logs from an interception proxy can be shown inline in the triaging experience.



  • Full evidence like email and document is easily accessible.
  • Content Explorer to deeply investigate the content in the incident


Immediately start triaging DLP incidents with correlation of Defender alerts

By using custom Azure Sentinel analytic rules you can correlate with 3rd party systems.

Incident updates and tracking


Alerts are grouped in Incidents.

Supports Tagging, Status, Classifications, comments and multi select on filter to update, rules can stamp Tags, update status, severity, owner and call on playbooks in various stages.  Alerts are grouped in incidents.

Remediation Actions

Immediately start using the built-in actions.

  • Close integration with MDA
  • Reset pwd
  • Disable Account
  • View user Activity
  • Actions on DLP detections
  • Remove Document
  • Apply label
  • UnShare
  • Download email
  • Via Advanced Hunting
  • Isolate Device
  • Collect investigation pack from Device
  • Run AV Scan
  • Quarantine file
  • Disable user
  • Reset pwd
  • Delete email
  • Move mail to other mailbox folder

Sentinel can be extended to use Automation actions on top of incidents. Sentinel allows for a high degree of customization. Actions run can be integrated to update the incident based on completion. Integration with other systems can be done via Logic Apps that support integration with many providers Connector reference overview | Microsoft Learn.


Example of ready Playbooks can be found here Azure-Sentinel/Playbooks at master · Azure/Azure-Sentinel · GitHub




Retention of Incidents

6 months

2 years built-in support, archive 7 years Configure data retention and archive in Azure Monitor Logs (Preview) - Azure Monitor | Microsoft Lea...



Microsoft Purview DLP provides several approaches to triage and respond to DLP incidents. In this guide we have covered the Microsoft-recommended unified incident queue in Microsoft 365 Defender portal for DLP investigations. In addition, we have also covered key considerations when choosing the right tool for your needs. You can work with your analyst or SOC team to tune the way you handle and investigate DLP incidents. 


Get Started

Get started with the following articles about data loss prevention investigation :

Version history
Last update:
‎Feb 06 2023 11:48 AM
Updated by: