Study Guide Series: Exam MS-500 – Manage Data Loss Prevention (DLP) (Part 2)

This post is part of the overall MS-500 Exam Study Guide. Links to each topic as they are posted can be found here.

This post will cover the following exam topics listed under the “Manage Data Loss Prevention (DLP)” section:

  • Monitor DLP reports
  • Manage DLP notifications

In the previous post we configured a DLP policy to protect sensitive information within our tenancy, now that everything is configured, we will look at how we can monitor the performance of DLP. We can use both DLP reports and notifications to maintain visibility of our policy matches.

Monitor DLP Reports

To view the DLP reports, navigate to the Microsoft 365 Compliance Center and open up the Reports section. Here we see reports relating to a multitude of compliance aspects such as Retention labels, Sensitivity labels, DLP and information on third party apps from Cloud App Security. Within the dashboard, we can easily see a high level display of the DLP status of our tenant under the “Organizational Data” section.

Clicking “View Details” on any of the dashboard will bring us to the details of the report. Here we can view the detailed reports behind the dahboards, modify filters and sort the results as required.

Clicking on an entry in the detailed list will open up the full details of the policy match.


Manage DLP Notifications

As well as viewing reports, we can also view the alerts we configured in our DLP policy. Depending on how the policy was configured, we can also receive email alerts when a DLP policy is triggered.

To view the complete list of alerts, navigate to the Compliance portal again and open up the “Data Loss Prevention” page from the “Solutions” Section. Here we will see a full, filterable list of all DLP alerts for our tenancy.

Clicking the alert will bring us to the details page where we can view the details of the alert and open the events page which show the events which triggered the alert.

We can open the event details by clicking a specific alert which will show us a huge amount of detail around the DLP event.

Back on the Alert page, we can click “Manage Alert” at the bottom of the page to update status, assignments and comments of the alert. When we are happy the alert has been investigated, we can update the status to “Resolved” or “Dismissed” and save it to close the alert.


Summary

In the last two posts we have deployed a DLP policy, defined a custom sensitive information type and looked at how we can monitor our DLP policies through reports and alerts. DLP policies are a really powerful tool to have at our disposal but it is good to note that they are not intended as a complete solution. When they are integrated along with other solutions such as Sensitivity Labels, MCAS, Endpoint DLP etc. they can help to build out a secure and efficient sharing model.

For more information on the reporting and alerting functionality of DLP, check out the below links.

Configure and view alerts for DLP policies (preview) – Microsoft 365 Compliance | Microsoft Docs

View the reports for data loss prevention – Microsoft 365 Compliance | Microsoft Docs

One thought on “Study Guide Series: Exam MS-500 – Manage Data Loss Prevention (DLP) (Part 2)

  1. Pingback: Study Guide Series – Exam MS-500: Microsoft 365 Security Administration – Sean McAvinue

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s