Protecting your business-critical data is of the utmost importance in today’s digital landscape. Within the last 12 months, 74% of organizations have had business data exposed during a data security incident, 65% saw operational data compromised, and 58% experienced personal data being made vulnerable [1]. However, protecting that data can seem like a daunting charter for many security teams. Between the boundless volumes of data created and transformed daily by modern organizations and the difficulty of scaling legacy data loss prevention (DLP) strategies, proper prevention, investigation, and remediation of data security incidents can be an uphill climb. Simultaneously, the breakneck adoption of Generative AI is not only an exponential multiplier of organizational data, but also a new frontier of risk that we must learn to secure. Now is the time for organizations to take a comprehensive approach to data security that supports the pace of work today and adapts as your business transforms for the future.
Microsoft Purview Data Loss Prevention (Microsoft Purview DLP) provides a unified and cloud-native DLP that prevents sensitive data loss with minimal impact to business continuity. As part of our commitment to helping security teams build resilient and adaptable data security, we are excited to announce several new Microsoft Purview DLP capabilities that enable:
- Efficient investigation: Capabilities that empower admins to find, interpret, and act on key DLP incidents, including context-rich email alerts, support for custom email templates as policy actions, and new rich filters for DLP alerts in Microsoft Defender XDR.
- Strengthened protection: Capabilities that aim to maximize both protection of sensitive data and employee productivity, including automatic pause and resume of user actions, improvements to device onboarding, and the addition of application allowlists.
- Extended protection: Capabilities that protect your sensitive data across multiple workloads, including support for file type and file extension-based policy conditions and allowed domain groups for macOS.
Easier triage and investigation of DLP alerts
As the volume of data created, processed, and transmitted by modern business proliferates, so do the risks. In 2023, organizations experienced an average of 59 data security incidents over the previous 12 months [2]. With data security incidents growing more frequent and costly, it's critical to contain these incidents as quickly as they arise, mitigating downstream financial and infrastructural impact.
One way Microsoft Purview DLP is streamlining investigations for admins is by enriching email alerts with more robust metadata. These email alerts will inform the admin when a policy has been violated and provide more actionable context and evidence, including severity level, user, policy details, device details, and more. This insight enables you to understand and take appropriate action on a potential incident as soon as it occurs — from both your inbox and the Microsoft Purview Portal. This capability is now in general availability.
Figure 1: New context-rich email alerts for Microsoft Purview DLP admins.
Microsoft Purview DLP admins can now also leverage customizable email templates to notify users or teams of DLP policy matches. These custom emails, available in public preview, can be added as an action when configuring policy rules. For example, your organization may consider automating emails to notify managers of policy violations, or to kick off remediation workflows from a DLP alert. When creating policy rules, you can add a new custom template or choose from existing custom templates.
Figure 2: Create and manage custom email templates for DLP policy actions in Settings.
In addition to enriched email alerts and custom policy actions, we’re enhancing the DLP alert investigation experience within Microsoft Defender XDR. We previously added the capability to filter the DLP alerts queue in Microsoft Defender XDR by File Name or File Path for more efficient and flexible triage. We are now extending this public preview capability to filter by alerts stemming from external user risk. Learn more here.
This filter can be particularly useful in aiding investigations of threats external to your organization that may be attempting to exfiltrate company data. From Microsoft Defender XDR, you can easily visualize how a DLP policy violation was connected to an attack story associated with such external user activity. In the example below, you can see how a DLP alert tagged with “External user risk” in Microsoft Defender XDR indicates the transmission of sensitive company data to a user outside of the organization.
You may also notice that DLP alerts in Microsoft Defender XDR can now be further contextualized with insider risk summaries from Microsoft Purview Insider Risk Management. From the Incidents view, SOC analysts with the required customer-determined permissions can understand and make informed decisions on user exfiltration activities that may be connected to a larger data security incident. Learn more about this feature, now in public preview, here.
Not only are we introducing the above new capabilities to improve your day-to-day triage and investigation, but also announcing the general availability of:
- Simulation mode, which allows admins to simulate a DLP policy to assess its impact and fine tune the policy as required in an isolated environment, so they can confidently configure and deploy into production. Learn more here.
- DLP analytics, which leverages machine learning to highlight the top data protection risks in your environment and offers recommendations for mitigating those risks. DLP analytics also offers recommendations for fine tuning existing policies to reduce noisy alerts. Learn more here.
- The Adaptive Protection integration with DLP, which enables users to be scoped into data loss policies based on their insider risk levels. Microsoft Purview DLP takes these risk levels into account to automatically apply the right preventative controls, such as block, block with override, or audit with a warning. Learn more here.
Strengthened protection, minimal disruption
When it comes to securing modern business, every second and every device counts. That’s why we’re continuing to invest in comprehensive protection for all of your users and assets, minus the business disruption, tedious troubleshooting, or finicky fine tuning.
One step we’re taking to minimize disruption to business as usual is the new pause and resume capability, in public preview. Previously, users who could override policy tips would have to repeat the action that originally triggered a DLP policy, such as printing a document with sensitive information. With pause and resume, a user can provide business justification to override a policy, and the task will resume automatically without requiring the user to resubmit the print job. This same principle can be applied to functions such as copy and paste and copy to storage. Automatic pause and resume minimize end user disruption while ensuring proper policy enforcement.
Figure 5: Following a policy tip override, user activity such as printing and copying to storage will now be automatically paused and resumed on Windows devices.
We’ve also improved the Devices onboarding dashboard in the Purview Portal. The Devices' onboarding page has been enhanced to help you quickly understand the status of onboarded endpoint devices, and easily troubleshoot common onboarding issues. Easily dive into detail on any of your devices and see relevant remediation guidance if there are detected issues. The following capabilities are now available through the Devices onboarding page:
- Richer device fingerprinting metadata, in general availability
- Unlimited export of devices, in general availability
- First onboarded date for devices, in public preview
Figure 6: The improved Devices onboarding dashboard provides rich device metadata and helps troubleshoot common issues.
Lastly, we’re happy to announce the addition of application allowlists in Microsoft Purview DLP in public preview. Application allowlists enable exceptions to DLP rules for specified business apps, helping admins both enforce sufficient security controls and accommodate for normal, expected business activity. For example, you may choose to add applications used by the Finance team to an allowlist, knowing the frequency with which they work with sensitive financial data, and adjust how policies are enforced accordingly.
Shown below, you can see how admins can now tailor DLP rules and actions for restricted app groups and allowed app groups.
Figure 7: DLP policies can now be configured with unique rules and actions for specified business applications.
Extending data protection across platforms
We understand that today’s businesses rely on a diverse range of technologies and workloads, all of which require sufficient data protection measures. That is why we’re also excited to share the expansion of several Microsoft Purview DLP capabilities to macOS devices:
- Support for file type and file extension-based policy conditions is now in public preview for both macOS and Windows. Learn more here.
- Domain groups, which apply unique policy conditions and restrictions for a set of websites, is now in public preview for both macOS and Windows. Domain groups help you appropriately protect data that’s commonly in use or in motion, whether it’s through a cloud egress channel, in-browser, or subject to just-in-time protection. Learn more here.
Not to mention, Microsoft Purview DLP is now generally available for the increasing volume of Windows endpoints running on ARM (ARM64) chipsets. Learn more here.
Get started
Get started today with Microsoft Purview DLP by turning on endpoint DLP as it is built into Windows 10 and 11 and does not require an on-premises infrastructure setup or agents on endpoint devices. Learn more about endpoint DLP here. You can try Microsoft Purview DLP and other Microsoft Purview solutions directly in the Microsoft Purview compliance portal with a free trial!
Additional resources
- DLP whitepaper on moving from on-premises to cloud native DLP.
- Mechanics video on how to create one DLP policy that works across your workloads.
- Updated interactive guides on DLP policy configuration and management, and investigations.
- Frequently asked questions on DLP for endpoints.
- Guidance on optimal DLP incident management experience.
- Investigating Microsoft Purview DLP alerts in the Microsoft Defender XDR portal.
And, lastly, join the Microsoft Purview DLP Customer Connection Program (CCP) to get information and access to upcoming capabilities in private previews in Microsoft Purview Data Loss Prevention. An active NDA is required. Click here to join.
We look forward to your feedback.
Thank you,
The Microsoft Purview Data Loss Prevention Team
