This post is part of the overall MS-500 Exam Study Guide. Links to each topic as they are posted can be found here.
This post will cover the following exam topics listed under the “Manage Data Loss Prevention (DLP)” section:
- Monitor DLP reports
- Manage DLP notifications
In the previous post we configured a DLP policy to protect sensitive information within our tenancy, now that everything is configured, we will look at how we can monitor the performance of DLP. We can use both DLP reports and notifications to maintain visibility of our policy matches.
Monitor DLP Reports
To view the DLP reports, navigate to the Microsoft 365 Compliance Center and open up the Reports section. Here we see reports relating to a multitude of compliance aspects such as Retention labels, Sensitivity labels, DLP and information on third party apps from Cloud App Security. Within the dashboard, we can easily see a high level display of the DLP status of our tenant under the “Organizational Data” section.
Clicking “View Details” on any of the dashboard will bring us to the details of the report. Here we can view the detailed reports behind the dahboards, modify filters and sort the results as required.
Clicking on an entry in the detailed list will open up the full details of the policy match.
Manage DLP Notifications
As well as viewing reports, we can also view the alerts we configured in our DLP policy. Depending on how the policy was configured, we can also receive email alerts when a DLP policy is triggered.
To view the complete list of alerts, navigate to the Compliance portal again and open up the “Data Loss Prevention” page from the “Solutions” Section. Here we will see a full, filterable list of all DLP alerts for our tenancy.
Clicking the alert will bring us to the details page where we can view the details of the alert and open the events page which show the events which triggered the alert.
We can open the event details by clicking a specific alert which will show us a huge amount of detail around the DLP event.
Back on the Alert page, we can click “Manage Alert” at the bottom of the page to update status, assignments and comments of the alert. When we are happy the alert has been investigated, we can update the status to “Resolved” or “Dismissed” and save it to close the alert.
In the last two posts we have deployed a DLP policy, defined a custom sensitive information type and looked at how we can monitor our DLP policies through reports and alerts. DLP policies are a really powerful tool to have at our disposal but it is good to note that they are not intended as a complete solution. When they are integrated along with other solutions such as Sensitivity Labels, MCAS, Endpoint DLP etc. they can help to build out a secure and efficient sharing model.
For more information on the reporting and alerting functionality of DLP, check out the below links.