013: Manage DLP Alerts & Incidents
Overview
Use the recommended Microsoft 365 Defender experience for DLP alert investigations. If needed for advanced incident management needs such as reporting to executives or regulators and for automated workflows, export the relevant activities from the Unified Audit Log to a SIEM system such as Microsoft Sentinel.
Reference
- Guidance for investigating Microsoft Purview Data Loss Prevention incidents https://techcommunity.microsoft.com/t5/security-compliance-and-identity/guidance-for-investigating-microsoft-purview-data-loss/ba-p/3732562
- Unified Audit Log DLP schema https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#dlp-schema