Sentinel Data Leak
Sentinel Data Leak
The Sentinel Data Leak agent performs a comprehensive investigation of a Microsoft Sentinel incident, correlating Defender XDR and Purview data to determine whether the incident is a true data exfiltration event or a false positive. It returns a single Markdown report with evidence, correlation insights, analyst reasoning, and executive recommendations.
Customer value
- Automates cross-signal correlation centered on a Sentinel incident.
- Validates exfiltration signals against corroborating device/user/file context and Purview data security alerts.
- One executive-ready report with verdict, evidence highlights, and prioritized recommendations.
- Uses existing Sentinel + Purview signals without introducing new data sources.
Functional design (high level)
Required input
Incident: Sentinel incident identifier (GUID, integer incident number, or incident URL).
Output
A single Markdown report with executive summary (verdict), incident context, correlated evidence tables, analyst reasoning, prioritized recommendations, and coverage/limitations if any data is unavailable.
Behavior & guardrails
Manual execution only (on-demand).
No additional parameters/thresholds required beyond Incident.
Markdown-only output (no raw JSON).
Graceful handling of missing signals (report what was unavailable).
On-demand
Markdown
Investigation steps
1) Incident context
Retrieve Sentinel incident details and entities using GetIncident, GetIncidentEntities, and (when useful) GetSentinelIncidents.
2) Enrichment & correlation
Enrich with device and file context: EnrichIncidentWithDeviceContext, EnrichIncidentWithFileContext.
Hunt related activity for involved users, IPs, or hostnames: FindUserIpOrHostnameAccessRecords, FindUserScriptDownloads.
3) Purview (data security) analysis
Zoom and summarize data-risk/user-risk and DLP/IRM signals using relevant Purview analysis skills.
4) Reasoning & verdict
Correlate all findings to assess whether sensitive data was accessed, shared, or exfiltrated and whether behavior supports a true exfiltration vs false positive conclusion.
Enablement & how to run
Prerequisites
Access to Microsoft Sentinel incidents and alerts.
Access to Purview data security/alerts as required by the enabled skills.
Fusion/Sentinel/Purview skillsets enabled in Security Copilot.
Enable the agent
Install/enable Sentinel Data Leak in Security Copilot and consent to the required skillsets.
How to run
Run manually with: Run Sentinel Data Leak for Incident = “<GUID | IncidentNumber | IncidentURL>”.
Expected output
One markdown report with: verdict (true exfiltration / false positive / inconclusive), incident context, evidence correlation (Defender/Purview), analyst reasoning, prioritized recommendations, and data-coverage notes.
Need a fast, evidence-based verdict on a Sentinel Data Leak incident?
Contact us to enable Sentinel Data Leak and produce a single executive-ready report with correlated evidence and prioritized recommendations.
Manual, incident-driven investigations. Markdown-only output. Graceful handling of missing signals.
