Currently available in public preview (MC387638), we’re rolling out a new unified incident management experience for Microsoft Purview Data Loss Prevention (DLP) in the Microsoft 365 Defender portal along with native integration with Microsoft Sentinel through the Microsoft 365 Defender connector in Sentinel. This message is associated with Microsoft 365 Roadmap ID 93322.
This feature provides a singular view for incident management across solutions by making the Microsoft Purview Data Loss Prevention incidents available in the unified incidents queue in the Microsoft Defender portal. In addition, customers can also leverage the M365 Defender connector in Microsoft Sentinel to import all DLP incidents into Sentinel to extend correlation, detection, and investigation across additional Microsoft and non-Microsoft data sources and extend automated orchestration flows using Sentinels native SOAR capabilities.
When this will happen
Rollout will begin in mid-September and is expected to be complete by mid-October.
How this will affect your organization
This feature delivers a new and comprehensive DLP investigation experience that is native to the Microsoft 365 Defender portal and provides a singular view for incident management. Admins can also import all DLP incidents, alerts, and underlying audit activities into Sentinel to extend correlation, detection, and investigation across additional Microsoft and non-Microsoft data sources and extend automated orchestration flows using native SOAR capabilities. Features coming soon to general availability:
- View all your DLP alerts grouped under incidents in the Microsoft 365 Defender incident queue
- View intelligent inter-solution (DLP-Microsoft Defender for Endpoint, DLP-Microsoft Defender for Office 365) and intra-solution (DLP-DLP) correlated alerts under a single incident
- Hunt for compliance logs along with security under Advanced Hunting
- In-place admin remediation actions on user (i.e., mark as compromised, require sign-in), file (i.e., apply sensitivity label, retention label, unshare), and device
- Associate custom tags to DLP incidents and filter by them
- Filter unified incident queue by DLP policy name, tag, date, service source, incident status, or user
- Leverage the Microsoft 365 Defender connector in Sentinel to pull DLP incidents into Sentinel for investigation and remediation
Please note that the DLP alerts dashboard in the Microsoft Purview compliance portal will continue to work as expected.
What you need to do to prepare
To import DLP alerts into Microsoft 365 Defender:
- Ensure that you have turned on alerts for all your DLP policies in the Microsoft Purview compliance portal, then navigate to Microsoft 365 Defender portal and click on Incidents in the left navigation menu or go directly to Incident Queue.
- Click on Filters on top right and choose Service Source: Data Loss Prevention to view all incidents with DLP alerts and take desired actions to investigate or remediate alerts.
To import DLP alerts into Sentinel:
- Follow instructions on Connect data from Microsoft 365 Defender to Microsoft Sentinel to import all incidents including DLP incidents and alerts into Sentinel. Enable CloudAppEvents event connector to pull all Office 365 audit logs into Sentinel.
- You can see your DLP incidents in Sentinel once the connector is setup.
Message ID: MC424903
Published: 02 September 2022
Updated: 02 September 2022
Platform: Online, Web, World tenant