Microsoft Purview DLP: Incident management in Microsoft 365 Defender portal

Microsoft Purview DLP: Incident management in Microsoft 365 Defender portal

Coming soon to public preview, we’re introducing a new unified incident management experience for Microsoft Purview Data Loss Prevention (DLP) in the Microsoft 365 Defender portal along with native integration with Microsoft Sentinel through the Microsoft 365 Defender connector in Sentinel.

This message is associated with Microsoft 365 Roadmap ID 93322.

When this will happen:

Rollout will begin in early June and is expected to be complete by late June.

How this will affect your organization:

This feature delivers a new and comprehensive DLP investigation experience that is native to the Microsoft 365 Defender portal and provides a singular view for incident management. Admins can also import all DLP incidents, alerts, and underlying audit activities into Sentinel to extend correlation, detection, and investigation across additional Microsoft and non-Microsoft data sources and extend automated orchestration flows using native SOAR capabilities.

Features included in this preview:

  • View all your DLP alerts grouped under incidents in the Microsoft 365 Defender incident queue
  • View intelligent inter-solution (DLP-Microsoft Defender for Endpoint, DLP-Microsoft Defender for Office 365) and intra-solution (DLP-DLP) correlated alerts under a single incident
  • Hunt for compliance logs along with security under Advanced Hunting
  • In-place admin remediation actions on user (i.e., mark as compromised, require sign-in), file (i.e., apply sensitivity label, retention label, unshare), and device
  • Associate custom tags to DLP incidents and filter by them
  • Filter unified incident queue by DLP policy name, tag, date, service source, incident status, or user
  • Leverage the Microsoft 365 Defender connector in Sentinel to pull DLP incidents into Sentinel for investigation and remediation

Please note that the DLP alerts dashboard in the Microsoft Purview compliance portal will continue to work as expected.

What you need to do to prepare:

To import DLP alerts into Microsoft 365 Defender:

  1. Ensure that you have turned on alerts for all your DLP policies in the Microsoft Purview compliance portal, then navigate to Microsoft 365 Defender portal and click on Incidents in the left navigation menu or go directly to Incident Queue.
  2. Click on Filters on top right and choose Service Source: Data Loss Prevention to view all incidents with DLP alerts and take desired actions to investigate or remediate alerts.

View incidents
View image in new tab

To import DLP alerts into Sentinel:

  1. Follow instructions on Connect data from Microsoft 365 Defender to Microsoft Sentinel to import all incidents including DLP incidents and alerts into Sentinel. Enable CloudAppEvents event connector to pull all Office 365 audit logs into Sentinel.
  2. You can see your DLP incidents in Sentinel once the connector is setup.

View incidents in Sentinel
View image in new tab

Learn more:


Contact Us 


No Comments

Sorry, the comment form is closed at this time.