Learn how to investigate Microsoft Purview Data Loss Prevention alerts in Microsoft 365 Defender

This is step-by-step guided walkthrough of the Microsoft 365 Defender Analyst experience for Microsoft Purview Data Loss Prevention (DLP) incident management. This is the  Microsoft-recommended experience for investigation and remediation of Data Loss Prevention incidents.

Prerequisites

• Licensing Requirements
  • To investigate Microsoft Purview DLP incidents in the Microsoft 365 Defender portal, you need a license from one of the following subscriptions mentioned here:
    • Microsoft Office 365 E5/A5
    • Microsoft 365 E5/A5
    • Microsoft 365 E5/A5 Compliance
    • Microsoft 365 E5/A5 Information Protection and Governance
  • Note: When you are licensed and eligible for this feature, DLP alerts will automatically flow into Microsoft 365 Defender. Open a support case if you want to disable this feature.
• Before you start, turn on alerts for all your DLP policies in the Microsoft Purview compliance portal and Delegate the appropriate permissions  to access the Microsoft 365 Defender Portal.

Step-by-step walkthrough

1. Go to https://security.microsoft.com

Note: To view DLP alerts and incidents in the Defender portal please make sure to turn on alerts for all your DLP policies in the Microsoft Purview compliance portal first.

 

2. Select Incident & alerts on the left navigation pane and click on Incidents to view the Incidents queue

3. Filter the queue to view all incidents with Microsoft Purview DLP alerts by selecting Filters on the top right and choose Service Source: Data Loss Prevention.

 

Note: In this experience, you can apply advanced filters to filter on what matters to you. There are many filters available such as Assigned to, Status, Entities (Users, Device, Applications), Policy Name (through text search) and more.

 

4. Select a specific incident to view the incident summary details.

 

5. Select Manage Incident and assign ownership and status

 

6. Select the alert in the Attack to view the Alert Story for details about the policy and sensitive information types detected in the alert.

 

7. In the Alert Story, select the Related event to see the details.

 

8. This will expand investigation detail on the right-hand side. In this flyout pane, you can see the initial information about the violation, which action was taken on the alert, the count of matches, and other detail needed for the investigation.

 

9. Click on the Source tab to view the e-mail body so that the surrounding text of thecan be identified. , you must have the required permission (see details here). If the content is in an attachment or you need to get the full e-mail use the Download email action. If you determine that the match was a false positive, select “Not a match”.

 

For remediation actions on files on SharePoint Online or One Drive for Business sites, you can see actions like

-Apply retention label

-Apply sensitivity label

-Unshare file

-Delete

 

10. To get a better understanding of the risk level, click User details in the Incident graph. This shows the number of active incidents and alerts. The page also shows the investigation priority which is powered by Microsoft Defender for Cloud Apps.

 

11. By using the integration with Microsoft Defender for Cloud Apps you can take remediation actions to reset user account credentials, require a sign-in again, etc.

 

12. If you need to get more detail or take additional actions on the message, go to Evidence and Response and select the message. On the right-hand side select Go hunt.

 

13. This launches the Advanced hunting page, select Run query. From here you can start hunting if you need to learn more about an attachment or e-mail conversation as a couple of examples.

 

As an example, you can validate whom certain files have been shared with for OneDrive/SharePoint DLP alerts.

 

 

 

 

let user = ('user@yourdom.com');
CloudAppEvents
//| search incident
| where ActionType == "DLPRuleMatch"
| where RawEventData.Workload == "OneDrive" or RawEventData.Workload == "SharePoint"
| extend Account = tostring(RawEventData.UserId)
| extend SharePointMetaData_SiteCollectionUrl_s =  tostring((RawEventData.SharePointMetaData.SiteCollectionUrl))
| where tolower(RawEventData.UserId) == user
| join kind = inner
    (
    CloudAppEvents
| where RawEventData.Operation == "SecureLinkUsed" or RawEventData.Operation == "AddedToSecureLink"
| extend SourceFileName = tostring(RawEventData.SourceFileName)
| extend SharePointMetaData_SiteCollectionUrl_s = tostring(RawEventData.SiteUrl)
| extend UserId = tostring(RawEventData.UserId)
| extend TargetUserOrGroupName = tostring(RawEventData.TargetUserOrGroupName)
| extend Sharedwith= iff(isempty(TargetUserOrGroupName), UserId, TargetUserOrGroupName) 
|project 
        SourceFileName,
        SharePointMetaData_SiteCollectionUrl_s,
        TargetUserOrGroupName,
        Sharedwith
    )
    on SharePointMetaData_SiteCollectionUrl_s
    | project Timestamp,Account,SharePointMetaData_SiteCollectionUrl_s, SourceFileName, Sharedwith,RawEventData
    | sort by Timestamp

 

 

 

This is another example where you can search for all file activity related to a file. You may select to add list item, hash or user to reduce the risk for capturing other files that aren’t relevant for the investigation. This will capture file activity across email, SharePoint, OneDrive, Endpoint, AIP Scanner where the Purview agents are active

 

 

 

let document = "yourdoc.txt";
CloudAppEvents
//| where tolower(RawEventData.UserId) == "youruser@dom.com"
//| where RawEventData.Sha256 == "Filehash"
//| where RawEventData.ListItemUniqueId == "SPOlist item"
| search document
| extend Users = tostring(RawEventData.UserId)
 | extend LabelGUID1 = parse_json(tostring(RawEventData.SensitivityLabelEventData)).SensitivityLabelId
    | extend LabelGUID2 = iff(isempty(tostring(RawEventData.LabelId)), LabelGUID1, tostring(RawEventData.LabelId))
    | extend LabelGUID3 = iff(isempty(tostring(RawEventData.SensitivityLabelId)), LabelGUID2, tostring(RawEventData.SensitivityLabelId))
     | extend OldSensitivityLabelId = tostring(parse_json(tostring(RawEventData.SensitivityLabelEventData)).OldSensitivityLabelId)
    | extend LabelGUID = iff(isempty(tostring(LabelGUID3)),OldSensitivityLabelId, tostring(LabelGUID3))  
| project Timestamp,ActionType,Users,CountryCode,LabelGUID,ReportId,RawEventData
| sort by Timestamp

 

 

 

14. From the same page, you can Take actions like Delete email and move the message to a separate folder.

 

15. At the end of the review of the incident go back to Manage incident to apply additional details like the appropriate custom incident tags, comments, actions that should be taken on the case, or resolve the incident.

 

16. In many scenarios bulk actions are needed for ease of managing multiple incidents. Select multiple incidents and click on Manage incidents to take bulk actions on all of the selected incidents at once. Bulk actions include assign to, classification, addition of incident tags, status, and comments.

 

Thanks for reading!

We look forward to your feedback.

Microsoft Purview Data Loss Prevention team.