Configure and View DLP Policy Alerts - Microsoft Purview (Compliance) (2023)

  • article

Microsoft Purview Data Loss Prevention (DLP) policies can provide protection to prevent sensitive items from being inadvertently shared. You can configure DLP alerts to notify you when action is taken on sensitive items. This article shows you how to define a rich alert policy that is associated with a data loss prevention (DLP) policy. You'll learn how to use the new DLP alert management dashboardMicrosoft Purview-nalevingsportalView alerts, events, and related metadata for DLP policy violations.


If you are not an E5 customer, you can use a 90-day trial of the Microsoft Purview solution to discover how additional Purview capabilities can help your organization manage data security and compliance needs. start nowMicrosoft Purview Compliance Portal Proefcentrum.Learn moreRegistration and Trial Terms.

(Video) Microsoft Endpoint DLP: Policy Match Alerts


It includes the following functions:

  • Dashboard for DLP alert management: insideMicrosoft Purview-nalevingsportal, this dashboard shows alerts for DLP policies being enforced for the following workloads:

    • stock exchange
    • share point
    • a drive
    • team
    • equipment
  • Advanced alert configuration options: These options are part of the DLP policy design process. Use them to create extensive alert configurations. You can create individual event alerts or aggregated alerts based on the number of events or the size of the leaked data.

Before you start

Before you get started, make sure you have the necessary requirements:

  • Licenses for the DLP Alert Management Dashboard
  • Licensing of alert configuration options
  • Role

Licenses for the DLP Alert Management Dashboard

All eligible Office 365 DLP tenants have access to the new DLP alert management dashboard. To get started, you must be eligible for Office365 DLP for Exchange Online, SharePoint Online, and OneDrive for Business. For more information about licensing requirements for Office 365, see DLPWhat licenses entitle the user to benefit from the service?.

used by customersEndpoint DLPwho is eligibleTeam DLPYou can see their endpoint DLP policy alerts and team DLP policy alerts in the DLP alert management dashboard.

(Video) Build your first Microsoft Purview DLP Policy

Licensing of alert configuration options

  • Configuration of single event alerts: Organizations with E1, F1, or G1 subscriptions or E3 or G3 subscriptions can only create alert policies that trigger an alert whenever activity occurs.
  • Aggregate alert configuration: To configure a threshold-based aggregated alarm policy, you must have one of the following configurations:
    • A5 abonnement
    • E5 or G5 subscription
    • E1, F1, or G1 plan or E3 or G3 plan with one of the following features:
      • Office 365 Advanced Threat Protection-plan 2
      • Microsoft 365 E5 compliance
      • Microsoft 365 eDiscovery and Audit Add-on License


To view the DLP alert management dashboard or edit alert configuration options in DLP policies, you must be a member of one of the following role groups:

  • Compliance Administrator
  • Data Controller Compliance
  • security administrator
  • security operator
  • safe reader

To access the DLP Alerts Management dashboard, you need the Admin Alerts role and one of the following roles:

  • DLP compliance management
  • View only DLP compliance management

Alert configuration experience

If you qualify forAggregate alert configuration options, and you'll see the following options inline in the DLP policy design experience.

Configure and View DLP Policy Alerts - Microsoft Purview (Compliance) (1)

This configuration allows you to set policies for alert generation:

  • Each time an event meets the policy conditions
  • When a defined threshold is reached or exceeded
  • Based on the number of activities
  • Based on the amount of leaked data

To avoid flooding email notifications, all matches against the same DLP rule in the same location that occur within a one-minute window are grouped into the same alert. The one minute aggregation time window function works with:

(Video) DLP policy setup demo Microsoft 365

  • E5 or G5 subscription
  • E1, F1, or G1 plan or E3 or G3 plan with one of the following features:
    • Office 365 Advanced Threat Protection-plan 2
    • Microsoft 365 E5 compliance
    • Microsoft 365 eDiscovery and Audit Add-on License

For organizations with E1, F1, or G1 plans or E3 or G3 plans, the aggregation time is 15 minutes.

Dashboard for DLP alert management

To use the DLP Alerts Management Dashboard:

  1. insideMicrosoft Purview-nalevingsportal, goPrevent data loss.

  2. to electalarmtab to view the DLP Alerts dashboard.

    • Select a filter to narrow the list of alerts. to electadjusted columnList the properties you want to view. You can also choose to sort the alerts in ascending or descending order in each column.

    • Select a notification to view details:

      (Video) How to Investigate DLP Alerts in Microsoft 365 Compliance Demo

      Configure and View DLP Policy Alerts - Microsoft Purview (Compliance) (2)

  3. to electeventtab to view all events associated with the alert. You can select a specific event to view its details. The following table contains details for some events.

    categoriesproperty nameto describeApplicable event type
    Event details
    ID cardA unique ID associated with the eventall activities
    PlaceWorkloads for which events have been detectedall activities
    Activity timeThe time of user activity that resulted in the DLP violationall activities
    Affected entity
    userUsers who caused DLP violationsall activities
    CPU nameThe host name of the computer where the DLP violation was detecteddevice event
    IP adreslocal IP addressdevice event
    inventory padViolations relate to absolute paths to filesSharePoint, OneDrive, and device events
    E-mail receiverRecipients of emails that violate DLP policiesexchange activities
    email subjectEmail subject that violates DLP policiesexchange activities
    email attachmentNames of attachments in emails that violate DLP policiesexchange activities
    website ownerName of the site ownerSharePoint and OneDrive events
    Website URLThe full URL of the SharePoint or OneDrive siteSharePoint and OneDrive events
    file createdtime for file creationSharePoint and OneDrive events
    file last modifiedfile last modified timeSharePoint and OneDrive events
    File sizeFile sizeSharePoint and OneDrive events
    file ownerfile ownerSharePoint and OneDrive events
    Policy details
    Agreements with DLP policiesThe name of the matching DLP policyall activities
    match ruleThe name of the DLP rule in the corresponding DLP policyall activities
    Type of sensitive information detectedTypes of sensitive information detected as part of a DLP policyall activities
    measures takenActions taken as part of the corresponding DLP policyall activities
    user coverage strategyWhether the user has overridden the policy through a policy tipall activities
    override reason textGives a reason for ignoring policy tipsall activities
  4. to electSensitive information typetab to view details about the types of sensitive information detected in the content. Details include trust and counting.

  5. Select after investigating the alertManage alertschange state (positive,Questionnaire,dismissal, ofdissolveYou can also add a comment and assign the alert to someone in your organization.

    • To view the workflow management history, select themanagement log.
    • After taking the desired action on the alert, set the alert status todissolve.

other matching criteria

Microsoft Purview supports displaying matching conditions in DLP incidents to reveal the exact reason for flagging a DLP policy. This information is displayed on:

  • DLP Alerts-console
  • active browser
  • Microsoft Defender for Business portal

insideeventtab opendetailAccountother matching criteria.

(Video) Microsoft Purview - 5 New & Updated Features that You NEED to Know!


  • Must be running Windows 10 x64 build 1809 or later or Windows 11.
    • LookMarch 21, 2023 — KB5023773 (OS Builds 19042.2788, 19044.2788, and 19045.2788) PreviewMinimum Windows OS version required.
  • Matching condition data is available for valid E3 and E5 licensees
  • switchaudit.
  • switchAdvanced classification scanning and protection.

These criteria support matching event information

Health statusstock exchangeshare pointteamendpoint
sender domain isAndNeeAndNee
sender address contains the wordsAndNeeNeeNee
Matching sender address patternAndNeeNeeNee
sender is a memberAndNeeNeeNee
The sender's IP address isAndNeeNeeNee
Whether the sender overrides policy tipsAndNeeNeeNee
SenderAdAttribute contains the wordsAndNeeNeeNee
SenderAdAttribute match patternAndNeeNeeNee
The domain of the recipient isAndNeeAndNee
the recipient's address contains the wordAndNeeNeeNee
Matching pattern for recipient addressAndNeeNeeNee
Recipient is a member ofAndNeeNeeNee
RecipientAdAttribute contains the wordsAndNeeNeeNee
RecipientAdAttribute match patternAndNeeNeeNee
Document is password protectedAndNeeNeeNee
Cannot scan documentAndNeeNeeNee
Documents are not fully scannedAndNeeNeeNee
document name contains the wordAndAndNeeNee
Matching document name patternAndNeeNeeNee
Document properties areAndAndNeeNee
Document size exceedsAndAndNeeNee
The content of the document contains the wordsAndNeeNeeNee
Matching document content patternAndNeeNeeNee
file type isNeeNeeNeeAnd
The document extension isAndAndNeeAnd
Content shared from M365AndAndAndNee
content ofAndNeeNeeNee
The content character set contains the wordAndNeeNeeNee
subject contains wordAndNeeNeeNee
Subject Matching ModeAndNeeNeeNee
subject or body contains wordAndNeeNeeNee
pattern of subject or bodyAndNeeNeeNee
title contains wordAndNeeNeeNee
header patternAndNeeNeeNee
exceeds message sizeAndNeeNeeNee
report type isAndNeeNeeNee
The importance of the message isAndNeeNeeNee


What permissions are required to view DLP alerts? ›

If you want to view the DLP alert management dashboard or to edit the alert configuration options in a DLP policy, you must be a member of one of these role groups: Compliance Administrator. Compliance Data Administrator. Security Administrator.

Where can I view DLP alerts? ›

In the Microsoft Purview compliance portal, go to Data loss prevention. Select the Alerts tab to view the DLP alerts dashboard.

How to configure Microsoft purview DLP? ›

Configure Sensitive service domains
  1. In the Microsoft Purview compliance portal open Data loss prevention > Endpoint DLP settings > Browser and domain restrictions to sensitive data > Sensitive service domains.
  2. Select Add a new group of sensitive service domains.
  3. Name the group.
  4. Select the Match type you want.
May 24, 2023

How do I investigate DLP alerts? ›

Go to the Microsoft 365 Defender portal, and select Incidents in the left hand navigation menu to open the incidents page. Select Filters on the top right, and choose Service Source : Data Loss Prevention to view all incidents with DLP alerts.

In which type of compliance control can you apply a Data Loss Prevention DLP rule for gmail? ›

Like a standard Gmail content compliance setting, you can use DLP detectors to trigger automatic responses. These include quarantining, rejecting, or modifying a message. You can also combine predefined detectors with keywords or regular expressions to create more sophisticated content compliance policies.

What is a default alert policy ⚠ compliance manager? ›

Compliance Manager sets up a default alert policy to monitor for score changes in improvement actions. The default policy will generate an alert when an improvement action's score changes. Most settings for the default policy can't be edited, but you can add additional recipients for notifications.

How do I know if DLP agent is installed? ›

if you would like to see if the DLP is insalled on the system then:
  1. check for processes: wdp.exe and edpa.exe.
  2. in the registry go to: HKEY_LOCAL_MACHINE\SYSTEM\Current Control Set\Services\<Service Name>\imagepath. ...
  3. check for the folder: <C>\Program Files\Manufacturer\Endpoint Agent.
Sep 16, 2014

How to configure DLP o365? ›

How to Create a Custom DLP Policy?
  1. Navigate to Microsoft 365 compliance →Data loss prevention.
  2. In the “Categories” tab and click the Custom option to create a custom policy.
  3. After creating, give the DLP policy a name along with the description.
May 10, 2023

Is DLP and EDR the same? ›

EPP is typically designed to reactively detect and block threats at device level e.g. antivirus, anti-malware, data encryption, personal firewalls, intrusion prevention (IPS) and data loss prevention (DLP) whereas EDR (Endpoint Detection and Response) covers some more advanced capabilities like detecting and ...

What should you configure in the DLP policy? ›

Remember from DLP policy configuration overview that all DLP policies require that you:
  • Choose what you want to monitor.
  • Choose the Policy Scoping(preview)
  • Choose where you want to monitor.
  • Choose the conditions that must be matched for a policy to be applied to an item.
Feb 16, 2023

What is an example of a DLP policy? ›

For example, a DLP policy can specify that a file belongs to the sensitive “employment contracts” category if it meets all of the following criteria: Must be a Microsoft Word file (file attribute) AND must contain certain legal terms (keywords) AND must contain ID numbers (defined by regular expression)

How do you implement DLP policies? ›

The following are the steps you follow to create a DLP policy:
  1. Assign the policy a name.
  2. Classify connectors.
  3. Define the scope of the policy. This step doesn't apply to environment-level policies.
  4. Select environments.
  5. Review settings.
Jun 29, 2022

How are DLP solutions used to maintain data privacy compliance? ›

DLP enforces remediation of the identified vulnerabilities through alerts and protective actions like encryption to prevent intentional or accidental misuse of sensitive data. DLP software monitors and protects the network, endpoint, and cloud data at rest and in motion.

How do DLP tools help organizations maintain data privacy compliance? ›

A DLP solution uses things like antivirus software, AI, and machine learning to detect suspicious activities by comparing content to your organization's DLP policy, which defines how your organization labels, shares, and protects data without exposing it to unauthorized users.

What is a DLP policy? ›

Data loss prevention (DLP) policies help protect your organizational data from being shared with a list of connectors that you define. An organization's data is critical to its success.

What are the three steps of DLP? ›

Explanation: The three steps of data loss prevention are – Identify, Discover and Classify.

What are the two types of DLP? ›

Network DLP: monitors and protects all data in use, in motion or at rest on the company's network, including the cloud. Endpoint DLP: monitors all endpoints, including servers, computers, laptops, mobile phones and any other device on which data is used, moved or saved.

Is DLP prevention or protection? ›

DLP, or Data Loss Prevention, is a cybersecurity solution that detects and prevents data breaches. Since it blocks extraction of sensitive data, organizations use it for internal security and regulatory compliance.

Which two action types can be tracked by the Microsoft Compliance Manager? ›

Compliance Manager tracks two types of actions:
  • Your improvement actions: Managed by your organization.
  • Microsoft actions: Managed by Microsoft.
May 4, 2023

What is a compliance alert? ›

Compliance alert means “an electronic response sent to the filer by the Automated Export System when the shipment was not reported in accordance with statute.

What information do Microsoft managed controls show in compliance manager? ›

It shows a percentage based on points achievable for completing improvement actions that address key data protection standards and regulations. Points from Microsoft actions, which are managed my Microsoft, also count toward your compliance score.

What should I look in a DLP solution? ›

What Key Capabilities Should You Look For In A Data Loss Prevention Solution? At a minimum, a DLP solution should include features that enable the discovery and classification of data at rest, data in motion, and be able to remediate based of data activity.

How long does it take for DLP policy to update? ›

For some policies, it takes up to 24 hours for changes to take effect on all services. For your reference: Create, test, and tune a DLP policy. Therefore, please kindly be patient for up to 24 hours after you create or modify some policies.

What is the license requirement for Office 365 DLP for Endpoint DLP? ›

Before you can use Endpoint DLP, you need Microsoft 365 E5 licenses or either the Microsoft 365 E5 information protection and governance or compliance add-ons.

What is the default DLP policy in Office 365? ›

To help protect the sensitive information, the default DLP policy: Detects when content in Exchange, SharePoint, and OneDrive that contains at least one of the following sensitive information is shared with people outside your organization.

Which type of DLP policy may be configured in the Microsoft 365 Compliance Center? ›

With a DLP policy, you can identify, monitor, and automatically protect sensitive items across: Microsoft 365 services such as Teams, Exchange, SharePoint, and OneDrive accounts. Office applications such as Word, Excel, and PowerPoint. Windows 10, Windows 11 and macOS (three latest released versions) endpoints.

What is the DLP rule in Office 365? ›

Policies that are defined within Office 365 will govern data and send notifications when someone violates a rule. The DLP feature in Office 365 will automatically classify data and use the set policies to stop an email from being sent and block unauthorized access to classified content.

Is DLP a firewall? ›

Delivered via PA-Series Next-Generation Firewalls, Enterprise DLP inspects web traffic to automatically detect, monitor and protect sensitive data in motion. Delivered via PA-Series Next-Generation Firewalls, Enterprise DLP inspects web traffic to automatically detect, monitor and protect sensitive data in motion.

Is DLP hardware or software? ›

Data loss prevention (DLP) software, also known as data leak prevention software, is used to secure control and ensure compliance of sensitive business information. A key component of DLP solutions is distribution control, which ensures users do not send private information outside of corporate business networks.

What are the different types of DLP sensors? ›

DLP includes two sensor types: built-in sensors, and user-defined sensors.

How to automatically configure Teams DLP policies to protect files shared in team messages? ›

You can extend the Teams DLP policy to cover SharePoint Online and OneDrive for Business by selecting Automatic file protection from the banner in DLP > Policies. This will enable DLP protection for all the files shared in Teams chats and channels with the same rules that apply to Teams messages.

Which three items must you identify when configuring dynamic data masking? ›

Dynamic data masking policy

The designated fields can be defined using a database schema name, table name, and column name.

What is the first step that should be considered in a Data Loss Prevention DLP program? ›

The first step in any DLP program is to determine which data would cause the biggest problem were it stolen. Manufacturing companies might choose to prioritize intellectual property such as design documents in their DLP efforts, particularly those for future products.

What are the 5 parts of DLP? ›

A DLP includes five parts of thorough explanation on, lesson topic, class objectives, procedure, time management and student practice.

What are the 6 parts of DLP? ›

A typical DLP contains the following parts: Objectives, Content, Learning Resources, Procedures, Remarks and Reflection.

How do I view DLP policies? ›

You can find these reports in the Microsoft Purview compliance portal > Reports > Dashboard.

What are the 5 steps to successfully implement data loss prevention? ›

The steps for implementing a successful DLP strategy are 1) finding and classifying your data, 2) understanding the risks to data, 3) developing policies and procedures, 4) procuring a DLP solution, and 5) monitoring data usage.

How do you handle a DLP incident? ›

For Devices DLP alerts, select the device card on the top of the alert page to view the device details and take remediation actions on the device. Go to the incident summary page and select Manage Incident to add incident tags, assign, or resolve an incident.

In which type of compliance control can you apply a data loss prevention DLP rule for gmail? ›

Like a standard Gmail content compliance setting, you can use DLP detectors to trigger automatic responses. These include quarantining, rejecting, or modifying a message. You can also combine predefined detectors with keywords or regular expressions to create more sophisticated content compliance policies.

What are the three reasons for organizations to want to implement DLP? ›

We have compiled a list of reasons for why organizations need a DLP guideline.
  • 1) 360 Degree View of Data. ...
  • 2) Prevention Against Internal Leaks. ...
  • 3) Comply with Security Regulations. ...
  • 4) Data Breaches Cost Time & Money. ...
  • 5) Reduce Threats for Mobility.
Mar 28, 2017

What causes breach of DLP guidelines? ›

Most of the breaches involved exposure of user's personal data and disclosure of business-related documents. Data breaches and data loss are natural things when you have many people working with information in numerous data analytics, data mining, machine learning operations, accounting, customer support, etc.

What is the importance of data protection compliance? ›

Data protection is important, since it prevents the information of an organization from fraudulent activities, hacking, phishing, and identity theft. Any organization that wants to work effectively need to ensure the safety of their information by implementing a data protection plan.

How to configure DLP policy? ›

The DLP policy process
  1. Assign the policy a name.
  2. Classify connectors.
  3. Define the scope of the policy. This step doesn't apply to environment-level policies.
  4. Select environments.
  5. Review settings.
Jun 29, 2022

What are the 3 main objectives being solved by DLP? ›

Data loss prevention solves three main objectives that are common pain points for many organizations: personal information protection / compliance, intellectual property (IP) protection, and data visibility.

Which prerequisites permission is required to create DLP policy in Flow Admin Center? ›

DLP policies are created in the Power Platform admin center. They affect Power Platform canvas apps and Power Automate flows. To create a DLP policy, you need to be a tenant admin or have the Environment Admin role.

What are the permissions required to use the audit log search tool in Office 365? ›

Before you can run an audit log search, an admin must assign the required permissions to your account. The permissions can be either View-Only Audit Logs or Audit Logs. You may have to wait several hours from the time you enable log auditing before you can run an audit log search.

What is the purpose of performing bypass permission in Mcafee DLP? ›

These permissions allow administrators to generate client bypass and uninstall keys, release from quarantine keys, and master keys.

Which licenses allow you to deploy DLP policies in SharePoint online? ›

Office 365 and Microsoft 365 E3 include DLP protection for SharePoint Online, OneDrive, and Exchange Online.

Which option is the most important aspect for deploying DLP? ›

Which of the following is the most important aspect in determining DLP readiness before deploying?
  • Choosing a vendor.
  • Focusing on DLP limitations in extreme cases.
  • Identifying data it is designed to protect.
  • Relying on DLP as an infallible security control.

Where are permissions set for viewing audit logs? ›

Go to Computer Configuration → Policies → Windows Settings → Security Settings. Go to Local Policies → Audit Policy: Audit object access.

Which Microsoft 365 compliance feature can you use? ›

Microsoft 365 Business Premium includes Compliance Manager, which can help you get started setting up your compliance features. Such features include data loss prevention, data lifecycle management, and insider risk management, to name a few.

How to turn auditing on or off Microsoft 365 compliance Microsoft Docs? ›

Use the compliance portal to turn on auditing

In the Microsoft Purview compliance portal at, go to Solutions > Audit. Or to go directly to the Audit page, use


1. Simplify regulatory compliance with Microsoft Purview Compliance Manager
(Microsoft Mechanics)
2. Planning your Security Compliance with Microsoft Purview
(Valto IT Services)
3. Microsoft Endpoint DLP: Tenant/Client Configuration & Setup
(Matt Soseman)
4. Introduction to Microsoft Purview Data Loss Prevention
(Info Protection and DLP Ninja Vids)
5. Microsoft Purview Data Loss Prevention: Behavior of DLP
(Info Protection and DLP Ninja Vids)
6. Risk-based automatic DLP policy adjustment with Adaptive Protection | Microsoft Purview
(Microsoft Mechanics)


Top Articles
Latest Posts
Article information

Author: Merrill Bechtelar CPA

Last Updated: 11/20/2023

Views: 5365

Rating: 5 / 5 (70 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Merrill Bechtelar CPA

Birthday: 1996-05-19

Address: Apt. 114 873 White Lodge, Libbyfurt, CA 93006

Phone: +5983010455207

Job: Legacy Representative

Hobby: Blacksmithing, Urban exploration, Sudoku, Slacklining, Creative writing, Community, Letterboxing

Introduction: My name is Merrill Bechtelar CPA, I am a clean, agreeable, glorious, magnificent, witty, enchanting, comfortable person who loves writing and wants to share my knowledge and understanding with you.