Guidance for investigating Microsoft Purview Data Loss Prevention incidents

Organizations across the world want to efficiently investigate and remediate data loss prevention incidents across all locations in their digital estate. This blog provides guidance for choosing the best investigation experience suited for your organization when using Microsoft Purview Data Loss Prevention.

 

 

 

Recommended guidance

 

1. Microsoft Purview Data Loss Prevention (DLP) team recommends using the Microsoft 365 Defender experience for DLP alert investigations. You can learn more here: Investigate data loss incidents with Microsoft 365 Defender | Microsoft Docs
   
2. If you are currently using the Microsoft Purview compliance portal for DLP investigations, we recommend investigating DLP in the Microsoft 365 Defender incident queue for an enhanced experience.
   
3. For advanced incident management needs such as reporting and automated workflows Sentinel can be used. This will however require custom expertise to create playbooks and custom reports.
   

 

As an analyst or investigator, you can perform exhaustive DLP investigations in both Microsoft 365 Defender portal and Microsoft Sentinel. Sentinel provides built-in as well as custom capabilities to tailor to more advanced scenarios.

 

 

 

Benefits of Microsoft 365 Defender and Microsoft Sentinel

 

 

Key benefits of Microsoft 365 Defender:

 

• Improved triaging experience, including tagging, filtering, and bulk actions on incidents.
  
• Advanced hunting provides the ability to query raw compliance and security data to proactively detect known and potential risks in your organization as well as visualize the attack chain
  
• Unified dashboard with a single incident queue for viewing all your DLP alerts for SOC/DLP team investigations
  
• Intelligent intra-solution (DLP-DLP) correlations under a single incident and inter-solution correlations between security (MDE, MDO, etc.) and DLP incidents
  
• Filtering options include DLP policy name, date, service source, incident status, and user plus more on the unified incident queue and the ability to associate custom tags with DLP incidents for custom filtering.
  
• Built-in remediation actions on users, files, and devices such as labelling files, removing violating e-mails, or resetting user account credentials.
  

 

Key benefits of Microsoft Sentinel:

 

• Single pane of glass with the ability to pull in signals from 1st party sources leveraging native connectors such as the Microsoft 365 Defender connector in Microsoft Sentinel to pull DLP incidents and 3rd party sources such as Google, AWS, JIRA, etc. for investigation and remediation in Microsoft Sentinel.
  
• Custom analytic rules can be used to create alerts based on data from across various systems.
  
• Workbooks can be used to create reports, the reports can be fully customized to measure KPI’s. By utilizing watchlists or UEBA, additional organizational context can be added.
  
• Automation workflows for incident management can be used to collect feedback from line managers and users who violated policies. It is also possible to create custom actions like collecting evidence, initiating content searches, or setup integration with 3rd party systems.
  

What fits my investigation needs?

 

 

You should select the solution that meets your needs. Below are the capabilities available.

 

 

 

	Microsoft 365 Defender	Microsoft Sentinel
Triaging	Immediately start triaging incidents and use tags, comments, and other features to structure your incident management. You should be utilizing the Incidents page in the Microsoft Defender portal to manage your DLP alerts.	Leverage the Microsoft 365 Defender connector in Microsoft Sentinel to pull DLP incidents into Sentinel for DLP investigations. To extend the triaging experience additional data can be ingested and displayed as part of the investigation. For example the logs from an interception proxy can be shown inline in the triaging experience.
Investigation

• Full evidence like email and document is easily accessible.
• Content Explorer to deeply investigate the content in the incident
  

• Logs to get detailed chain of events across first party and 3rd party systems is available.
• Customizations are required to get access to full evidence via usage of Deeplink the full content can be accessed from the incident.
• Ingestion of logs to Sentinel can be done using custom methods as well that allows for more customizations. Please look at this O365-ActivityFeed-AzureFunction/Sentinel/EndPoint at master · OfficeDev/O365-ActivityFeed-AzureFunction (github.com) as an example. This includes sample flows that can be used.
  

Correlation

Immediately start triaging DLP incidents with correlation of Defender alerts

By using custom Azure Sentinel analytic rules you can correlate with 3rd party systems.

Incident updates and tracking



Alerts are grouped in Incidents.

Supports Tagging, Status, Classifications, comments and multi select on filter to update, rules can stamp Tags, update status, severity, owner and call on playbooks in various stages. Alerts are grouped in incidents.

Remediation Actions

Immediately start using the built-in actions.

• Close integration with MDA
• Reset pwd
• Disable Account
• View user Activity
• Actions on DLP detections
• Remove Document
• Apply label
• UnShare
• Download email
• Via Advanced Hunting
• Isolate Device
• Collect investigation pack from Device
• Run AV Scan
• Quarantine file
• Disable user
• Reset pwd
• Delete email
• Move mail to other mailbox folder
  

Sentinel can be extended to use Automation actions on top of incidents. Sentinel allows for a high degree of customization. Actions run can be integrated to update the incident based on completion. Integration with other systems can be done via Logic Apps that support integration with many providers Connector reference overview | Microsoft Learn.



Example of ready Playbooks can be found here Azure-Sentinel/Playbooks at master · Azure/Azure-Sentinel · GitHub





Reporting

• Reporting on DLP violations and overrides.
• Activity explorer to view DLP related activities and filter for reporting.
• To export activity data for reporting use Export-ActivityExplorerData (ExchangePowerShell) | Microsoft Doc by leveraging O365 Management Activity API or Incident API
  

• Sentinel has strong built-in reporting using the KUSTO query language. The built-in workbook Security operations efficiency can be of use for both the built in M365 Defender integration or any custom integration. Manage your SOC better with incident metrics in Microsoft Sentinel | Microsoft Docs
• Sentinel supports enrichments from non-Microsoft systems as well as watchlists and other custom components to show powerful reports.
• Direct integration with Power Bi is available Create a Power BI report from Microsoft Sentinel data | Microsoft Learn
  

Retention of Incidents

6 months

2 years built-in support, archive 7 years Configure data retention and archive in Azure Monitor Logs (Preview) - Azure Monitor | Microsoft Learn

 

 

 

Conclusion

 

 

Microsoft Purview DLP provides several approaches to triage and respond to DLP incidents. In this guide we have covered the Microsoft-recommended unified incident queue in Microsoft 365 Defender portal for DLP investigations. In addition, we have also covered key considerations when choosing the right tool for your needs. You can work with your analyst or SOC team to tune the way you handle and investigate DLP incidents.

 

 

 

Get Started

 

 

Get started with the following articles about data loss prevention investigation :

 

• Investigate data loss incidents with Microsoft 365 Defender
  
• Configure and view alerts for data loss prevention polices
  

 

Continue reading...