Merge pull request #50166 from MicrosoftDocs/NEW-purview-data-loss-prevention-alerts

New purview data loss prevention alerts

Author: JamesJBarnett

learn-pr/paths/purview-implement-manage-dlp/index.yml

@@ -1,13 +1,13 @@
 ### YamlMime:LearningPath
 uid: learn.wwl.purview-implement-manage-dlp
 metadata:
-  title: 'Implement and manage data loss prevention (SC-401)'
+  title: 'Implement and manage Microsoft Purview Data Loss Prevention (SC-401)'
   description: 'Organizations need to prevent data loss and safeguard sensitive information to meet security and compliance goals. Microsoft Purview provides DLP capabilities to detect and respond to risky activities across cloud and endpoint environments. Learn how to design, configure, and manage DLP policies using Microsoft Purview. This learning path aligns with exam SC-401: Microsoft Information Security Administrator.'
   ms.date: 03/14/2025
   author: wwlpublish
   ms.author: riswinto
   ms.topic: learning-path
-title: 'Implement and manage data loss prevention'
+title: 'Implement and manage Microsoft Purview Data Loss Prevention'
 prerequisites: |
   - Foundational knowledge of Microsoft security and compliance technologies
   - Basic knowledge of information protection concepts
@@ -28,6 +28,7 @@ modules:
 - learn-m365.m365-compliance-information-prevent-data-loss
 - learn-m365.purview-implement-endpoint-dlp
 - learn.wwl.create-configure-data-loss-prevention-policies
+- learn.wwl.purview-data-loss-prevention-alerts
 
 trophy:
   uid: learn.wwl.purview-implement-manage-dlp.trophy

learn-pr/wwl-sci/purview-data-loss-prevention-alerts/configure-data-loss-prevention-alert-generation.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-data-loss-prevention-alerts.configure-data-loss-prevention-alert-generation
+title: Configure DLP policies to generate alerts
+metadata:
+  title: Configure DLP policies to generate alerts
+  description: "Configure DLP policies to generate alerts"
+  ms.date: 04/25/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 7
+content: |
+  [!include[](includes/configure-data-loss-prevention-alert-generation.md)]

learn-pr/wwl-sci/purview-data-loss-prevention-alerts/data-loss-prevention-alert-lifecycle.yml

@@ -0,0 +1,15 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.purview-data-loss-prevention-alerts.data-loss-prevention-alert-lifecycle
+title: Understand the DLP alert lifecycle
+metadata:
+  title: Understand the DLP alert lifecycle
+  description: "Understand the DLP alert lifecycle"
+  ms.date: 04/25/2025
+  author: wwlpublish
+  ms.author: riswinto
+  ms.topic: unit
+azureSandbox: false
+labModal: false
+durationInMinutes: 1
+content: |
+  [!include[](includes/data-loss-prevention-alert-lifecycle.md)]

learn-pr/wwl-sci/purview-data-loss-prevention-alerts/includes/configure-data-loss-prevention-alert-generation.md

@@ -0,0 +1,77 @@
+Alert settings in a data loss prevention (DLP) policy control how and when security teams are notified about risky activity. The configuration choices determine whether alerts are triggered for every policy match or only when certain thresholds are met. Understanding how to configure alerts and when to use different alert types is key to managing data risk effectively. Licensing also affects which alert options are available. Making the right choices ensures the right people are informed at the right time, without generating unnecessary noise.
+
+## When do you configure alerts in a DLP policy?
+
+When you create or edit a DLP policy in Microsoft Purview, you start by defining which conditions to monitor. You then decide what actions to take and how alerts should be handled. Alert settings are part of the rule configuration stage. After you define your conditions and actions, you decide whether to notify someone and whether an alert should be created.
+
+To configure alerts when creating or editing a DLP policy:
+
+1. Go to the Microsoft Purview portal.
+1. Select **Solutions** > **Data Loss Prevention** > **Policies**.
+1. Create a new DLP policy or select an existing policy to modify.
+1. **Choose where to apply the policy** in locations such as Exchange, SharePoint, or devices.
+1. Create a new rule or edit an existing rule.
+1. After defining conditions and actions, configure incident reports and alerting behavior:
+
+   :::image type="content" source="../media/configure-incident-reports.png" alt-text="Screenshot showing the configuration options for incident reports in a data loss prevention policy." lightbox="../media/configure-incident-reports.png":::
+
+1. Choose to deploy your policy right away, in simulation mode, or off.
+1. Save and submit your policy settings.
+
+## Types of DLP alerts
+
+There are two types of DLP alerts you can configure in Microsoft Purview:
+
+- **Single-event alerts** generate an alert every time a policy rule match occurs. These alerts are best for low-volume, high-sensitivity events—like when a user emails a file containing multiple credit card numbers.
+- **Aggregate-event alerts** generate alerts only when a threshold is met, such as 10 matching events within 24 hours. This configuration helps reduce alert fatigue in high-volume environments.
+
+You can set thresholds by:
+
+- **Number of matches** (for example, 10 matches in 60 minutes)
+- **Volume of data** (for example, more than 1 MB of matching content)
+
+To prevent alert overload, policy matches on the same item in the same location are grouped if they occur within a one-minute window.
+
+## Licensing requirements
+
+What you can configure depends on your Microsoft 365 license:
+
+- **Single-event alerts**: Available with E1, F1, G1, E3, or G3 licenses.
+- **Aggregate-event alerts**: Requires an E5 license or one of the following add-ons for E3/G3:
+  - Office 365 Advanced Threat Protection Plan 2
+  - Microsoft 365 E5 Compliance
+  - Microsoft 365 eDiscovery and Audit add-on
+
+Licensing also affects the aggregation time window:
+
+- **One-minute window**: E5 or add-on license
+- **15-minute window**: E3/G3 or lower without the add-on
+
+## Roles required to configure alerts
+
+To configure or view DLP alerts, users must be assigned specific roles in Microsoft Purview. These roles include:
+
+- **Compliance Administrator**
+- **Information Protection Admin**
+- **Security Operator**
+- **Security Reader**
+- **Information Protection Investigator**
+
+To access the DLP alert management dashboard, users must have the **Manage alerts** role, with membership in either the **DLP Compliance Management** or **View-Only DLP Compliance Management** role group.
+
+For viewing matched content or using Content explorer, the **Content Explorer Content Viewer** role is also required.
+
+## Where alerts appear
+
+Email notifications deliver alerts and also display them in two key locations:
+
+- **Microsoft Defender XDR**: Used for investigating alerts and managing incidents. This is where alerts are grouped, correlated with other events, and acted on.
+- **Microsoft Purview alerts dashboard**: Used for configuring policies and reviewing alert history. You can change alert status, export activity data, or share events with others.
+
+## How alerts behave after deployment
+
+- Alerts, incident reports, and user notifications only trigger once per document, even if the same content is shared or accessed multiple times.
+- It can take up to 3 hours for a new or updated policy to begin generating alerts.
+- If your tenant uses Endpoint DLP or Teams DLP, alerts from those services also appear in the DLP alerts dashboard.
+
+These behaviors help set expectations for how and when alerts are delivered, so that teams can act confidently on the signals they receive.

learn-pr/wwl-sci/purview-data-loss-prevention-alerts/includes/data-loss-prevention-alert-lifecycle.md

@@ -0,0 +1,77 @@
+Data loss prevention (DLP) alerts follow a structured path from detection through resolution. Understanding each step in the alert lifecycle helps ensure that potential data risks are handled consistently and that DLP policies continue to improve over time.
+
+## Trigger
+
+A DLP alert starts when a user's action matches a condition in a DLP policy. Policies are typically configured to watch for activity that could lead to data loss, like:
+
+- Sharing sensitive data with people outside the organization
+- Downloading confidential files to removable media
+- Uploading protected content to unsanctioned cloud apps
+
+When this kind of activity happens, the policy can take actions such as blocking the activity, warning the user, and if configured to do so, generating an alert.
+
+## Notify
+
+If a policy is configured to generate an alert, that alert appears in two places:
+
+- **Microsoft Defender portal**: Where alerts are grouped into incidents along with other security signals
+- **Microsoft Purview alerts dashboard**: Where you can track alert history, review alert details, and perform basic actions
+
+Email notifications can also be sent to users, admins, or security teams depending on the policy setup. These notifications let you know something happened that might require a closer look.
+
+In this phase, you can also use Activity explorer to view the details of what happened. If your team uses Microsoft's APIs, you can export activity data for long-term storage or custom reporting.
+
+## Triage
+
+Triage is about reviewing new alerts and deciding what to do next. You decide if the alert is a false positive or something that needs a deeper investigation. If it's valid, you assign it a priority level and designate someone to own the response.
+
+The Microsoft Defender portal groups related alerts into incidents. This gives you a broader view of the user's actions. For example, if a user downloads a file from SharePoint, uploads it to a personal OneDrive, and then shares it externally, those events are grouped into one incident. This makes it easier to focus on what matters.
+
+You can use tags, comments, and filters to manage the incident queue. To focus only on DLP-related alerts, filter by **Service source: Data Loss Prevention**.
+
+If your organization shares Insider Risk Management signals with Defender, you can also see the user's insider risk severity level next to their DLP alerts. This helps prioritize which alerts might require immediate action.
+
+Microsoft Security Copilot is also available in some tenants and can help analyze alert context and suggest next steps. This feature is embedded in the [DLP Alerts dashboard](/purview/dlp-alerts-dashboard-get-started?azure-portal=true#investigate-a-dlp-alert) and in [Data Security Posture Management (preview)](/purview/data-security-posture-management-copilot?azure-portal=true#use-microsoft-security-copilot-with-data-security-posture-management-preview).
+
+## Investigate
+
+Once a triage owner is assigned, the next step is to investigate the alert further. This means gathering evidence, reviewing activity logs, and deciding on a remediation plan.
+
+You can use several tools for this:
+
+- **Microsoft Defender portal**: For viewing incidents, correlating alerts, tagging users, and taking immediate action.
+- **Microsoft Purview alerts dashboard**: For reviewing the alert's full context, updating its status, and sharing with others.
+- **Activity explorer**: For filtering and viewing user actions.
+- **Content explorer**: For deeper review of the file or content that triggered the alert.
+
+If enabled, you can also access a **User activity summary** that shows up to 120 days of user behavior, including risky actions like exfiltrating files or bypassing policy warnings.
+
+## Remediate
+
+After investigation, the alert owner decides what actions to take. Remediation options vary based on how your organization handles risk. Some common actions include:
+
+- Marking the alert as informational and taking no action
+- Following up with the user to explain why the action was risky
+- Blocking file sharing or revoking access
+- Removing the file from cloud storage or applying a sensitivity label
+- Resetting passwords, disabling accounts, or isolating devices
+
+In Defender, you can take many of these actions directly from the portal, including:
+
+- Remove or quarantine a file
+- Revoke sharing permissions
+- Disable user accounts
+- Reset passwords
+- Download or delete emails
+- Use Advanced Hunting to look for related events
+
+## Tune
+
+The final step in the alert lifecycle is tuning your DLP policy. Once you respond to the alert, ask whether the policy worked as intended. You might need to adjust:
+
+- The sensitivity level of conditions that trigger an alert
+- The scope of the policy (users, locations, or groups)
+- Notification settings
+- Whether certain low-risk actions should trigger alerts at all
+
+Tuning helps reduce false positives and improve detection over time. You can revisit your policy intent and compare it to actual outcomes to decide what changes are needed.

learn-pr/wwl-sci/purview-data-loss-prevention-alerts/includes/introduction.md

@@ -0,0 +1,14 @@
+Investigating and responding to data loss prevention (DLP) alerts is an essential part of protecting sensitive information across your organization. DLP policies are designed to detect risky actions, but detecting those actions is only the beginning. To manage risks effectively, it's important to investigate alerts thoroughly, understand what triggered them, and take appropriate action based on your findings.
+
+Imagine you're responsible for protecting sensitive financial data. When an alert is triggered, you need to determine whether it was caused by an accidental action, a potential policy gap, or a sign of something more serious. Knowing how to investigate alerts in Microsoft Purview and Microsoft Defender XDR helps you build a complete picture of what happened. Responding appropriately ensures that risks are addressed, documentation is clear, and policies continue to improve over time.
+
+In this module, you:
+
+- Understand how DLP alerts are triggered and where they appear
+- Identify how DLP alerts are triggered and where they appear
+- Investigate alerts in Microsoft Purview and Microsoft Defender XDR
+- Apply appropriate response actions based on investigation outcomes
+- Complete the investigation process by documenting findings, assigning ownership, and closing alerts or incidents
+- Recognize opportunities to improve DLP policies based on investigation outcomes
+
+By the end of this module, you'll be able to investigate DLP alerts, respond effectively to different types of incidents, and use investigation outcomes to support continuous improvement.