This is step-by-step guided walkthrough of the Microsoft 365 Defender Analyst experience for Microsoft Purview Data Loss Prevention (DLP) incident management. This is the Microsoft-recommended experience for investigation and remediation of Data Loss Prevention incidents.
Note: To view DLP alerts and incidents in the Defender portal please make sure to turn on alerts for all your DLP policies in the Microsoft Purview compliance portal first.
Note: In this experience, you can apply advanced filters to filter on what matters to you. There are many filters available such as Assigned to, Status, Entities (Users, Device, Applications), Policy Name (through text search) and more.
For remediation actions on files on SharePoint Online or One Drive for Business sites, you can see actions like
-Apply retention label
-Apply sensitivity label
-Unshare file
-Delete
10. To get a better understanding of the risk level, click User details in the Incident graph. This shows the number of active incidents and alerts. The page also shows the investigation priority which is powered by Microsoft Defender for Cloud Apps.
11. By using the integration with Microsoft Defender for Cloud Apps you can take remediation actions to reset user account credentials, require a sign-in again, etc.
12. If you need to get more detail or take additional actions on the message, go to Evidence and Response and select the message. On the right-hand side select Go hunt.
13. This launches the Advanced hunting page, select Run query. From here you can start hunting if you need to learn more about an attachment or e-mail conversation as a couple of examples.
As an example, you can validate whom certain files have been shared with for OneDrive/SharePoint DLP alerts.
let user = ('user@yourdom.com');
CloudAppEvents
//| search incident
| where ActionType == "DLPRuleMatch"
| where RawEventData.Workload == "OneDrive" or RawEventData.Workload == "SharePoint"
| extend Account = tostring(RawEventData.UserId)
| extend SharePointMetaData_SiteCollectionUrl_s = tostring((RawEventData.SharePointMetaData.SiteCollectionUrl))
| where tolower(RawEventData.UserId) == user
| join kind = inner
(
CloudAppEvents
| where RawEventData.Operation == "SecureLinkUsed" or RawEventData.Operation == "AddedToSecureLink"
| extend SourceFileName = tostring(RawEventData.SourceFileName)
| extend SharePointMetaData_SiteCollectionUrl_s = tostring(RawEventData.SiteUrl)
| extend UserId = tostring(RawEventData.UserId)
| extend TargetUserOrGroupName = tostring(RawEventData.TargetUserOrGroupName)
| extend Sharedwith= iff(isempty(TargetUserOrGroupName), UserId, TargetUserOrGroupName)
|project
SourceFileName,
SharePointMetaData_SiteCollectionUrl_s,
TargetUserOrGroupName,
Sharedwith
)
on SharePointMetaData_SiteCollectionUrl_s
| project Timestamp,Account,SharePointMetaData_SiteCollectionUrl_s, SourceFileName, Sharedwith,RawEventData
| sort by Timestamp
This is another example where you can search for all file activity related to a file. You may select to add list item, hash or user to reduce the risk for capturing other files that aren’t relevant for the investigation. This will capture file activity across email, SharePoint, OneDrive, Endpoint, AIP Scanner where the Purview agents are active
let document = "yourdoc.txt";
CloudAppEvents
//| where tolower(RawEventData.UserId) == "youruser@dom.com"
//| where RawEventData.Sha256 == "Filehash"
//| where RawEventData.ListItemUniqueId == "SPOlist item"
| search document
| extend Users = tostring(RawEventData.UserId)
| extend LabelGUID1 = parse_json(tostring(RawEventData.SensitivityLabelEventData)).SensitivityLabelId
| extend LabelGUID2 = iff(isempty(tostring(RawEventData.LabelId)), LabelGUID1, tostring(RawEventData.LabelId))
| extend LabelGUID3 = iff(isempty(tostring(RawEventData.SensitivityLabelId)), LabelGUID2, tostring(RawEventData.SensitivityLabelId))
| extend OldSensitivityLabelId = tostring(parse_json(tostring(RawEventData.SensitivityLabelEventData)).OldSensitivityLabelId)
| extend LabelGUID = iff(isempty(tostring(LabelGUID3)),OldSensitivityLabelId, tostring(LabelGUID3))
| project Timestamp,ActionType,Users,CountryCode,LabelGUID,ReportId,RawEventData
| sort by Timestamp
14. From the same page, you can Take actions like Delete email and move the message to a separate folder.
15. At the end of the review of the incident go back to Manage incident to apply additional details like the appropriate custom incident tags, comments, actions that should be taken on the case, or resolve the incident.
16. In many scenarios bulk actions are needed for ease of managing multiple incidents. Select multiple incidents and click on Manage incidents to take bulk actions on all of the selected incidents at once. Bulk actions include assign to, classification, addition of incident tags, status, and comments.
Thanks for reading!
We look forward to your feedback.
Microsoft Purview Data Loss Prevention team.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.