DEMO: DLP Reporting and Alerts
Start course

This course is designed to give you a solid understanding of data loss prevention (DLP) in Microsoft 365. You will learn how data loss prevention works and why you as a Microsoft 365 administrator would want to implement it.

After a general DLP overview, you will be guided through a series of demonstrations that will show you how to create, test, and edit DLP policies, report on DLP and view alerts, and automatically apply labels based on data loss policy matches.

Learning Objectives 

  • Obtain a foundational understanding of data loss prevention
  • Learn how to implement data loss prevention in Microsoft 365
  • Learn how to report on data loss prevention policies

Intended Audience

This course is intended for anyone preparing for the MS-101 or MS-500 exam or who simply wants to learn about data loss prevention in Microsoft 365.


To get the most out of this course, you should have some basic experience using Microsoft 365.

Additional Resources

Microsoft Licensing Guide: 


Okay, so the next thing we will be looking at is reporting on data loss prevention and also viewing the alerts. So the alerts currently are in preview status which we can see here, alerts preview. So we are still in the compliance center and you can see here some alerts that have been flagged with higher severity. And we can say a DLP policy match was made for a subject email and if we click on it, it brings up some information around the alert.

So you can say here that the alert severity is high. It's an active alert. It was for an exchange, and the DLP policy that was matched was Australian financial data. So each alert will give you an alert ID which is generated by Microsoft 365. And if you want to make incidents based on these, you can use it as a reference so you can easily find that alert. We can also go into here and click Manage alert, but before that we will click Events and you can see any events here that have happened around this alert. So you can see here the sensitive info with the email subject, "Visa Card." We can click on it and once again it gives us more information there.

So you can see here a Adele Vance sent the email to this email. We can say the time of the email. And we can say down here the rule that was matched and also the score that it was given and also the actions taken. Now this is all stuff that would have been set in your DLP policy, as we have set in the policies before. So we can hit the little X there and that will take us back. You can also click this Manage alert button which will allow you to do some management stuff here. So you could change the status of it to investigating or dismissed or resolved.

So let's say this was resolved, she was able to do it. We can change the status to resolved, hit Save, and we can say here the settings have been saved, it's now resolved. Oh, don't hit save again. So now we can exit that and close that. And if we were to refresh this list, we can now see here that the status is resolved. So if you have multiple people working on these DLP policy alerts, you can have this status so everybody can see quite easily.

Something else you can do in the alert dashboard is change the filters. So here we could say, let's only see the active alerts. By doing that and now it will filter it down to the active alerts. You can also do it by severity or by the user that it's assigned to. And if you want to change the date range, you can do that here. So if we wanted to go back in time, the 15th of January is the furthest back we can go. But let's say we wanted to go forward in time, so we only wanted to see from the 31st of January through to February 15th. You would do that and now it would change that reporting period to that amount of time. So that's the basic concept of the alerts part of it.

So next, what we'll do is we will go into the reporting side of data loss prevention. So to access the DLP reports, inside of the compliance center, which is where we are here, Microsoft 365 compliance center, we go to the Reports tab. Now there is a few different reports that you can run here, so you can see you know we've got labels reports, organizational data reports, compliance reports. What we want is organizational data, and we've got a few different things here that we can look at.

So we've got our DLP policy matches, DLP incidents, DLP false positives and overrides and also third party DLP matches. So to view any of those reports, we just see the report here and you can click it like that. And then it will show us in this graph for the time period selected, any data loss policy matches and incidents that have happened.

So once again with this report we can change the filter here. So if we wanted to change our services that were filtering or our date, or filter down to just one policy that you've got. You can do that here and apply those filters to filter down on your different events the way you want to see them. So inside of this graph that you can see this timeline graph, we can hover over each date and see any of the incidents and see where they are so, on the day in question, which is the 14th of the 2nd 2021, you can see I had 11 DLP policy matches in SharePoint, 45 in OneDrive, two in Exchange and zero in Teams.

So that's a nice little graphical representation. It is color coded. You can see the color code down here as well, and hovering over them you can click and deselect what's in. Or you can leave them in there and see all the colors. So down here is where we actually see what was matched. So you can say down here the date, date & time. The rule that was matched, so you can say here we've got low policy conditions which if you remember that was one of the rules that we created in our test policy before, our policy 1. So you can see here policy 1, low match condition, the event type was a DLP policy hit and we can Scroll down and see.

So the sensitive information confidence is 75%. If you remember before we did set it to anything over 90% would be a high match and 50 to 75 would be a low match. So This is why that says low match conditions. You can say here the title, so this here, Contoso purchasing data. Now that is an Excel file and you can see it searched inside of that Excel file. 'cause you can tell it's XLXS and you can see it search inside that DebreB and its founder US bank account number right there. We can say two in the same document, we've also found Social Security numbers. So you can scroll through each of these. Have a look at them if you wish. And here, you basically use this report just to filter down and find any matches.

So another report that you can do is DLP incidents. So when we click on these ones same sort of logic, we've got SharePoint, OneDrive, Exchange and Teams and it puts it in here and shows us all of the incidents. So down here it shows the same sort of stuff. We've got the date, the title of the document or email in question. So you can see here it is a DOCX file and if we look at the data it's a low severity. It tells us the user. It tells us the workload, what policies matched, so you can see here we've got Australian financial data have matched. And we've got the rule count and the policy count and the severity.

So you can scroll through, see them if you wanna sort. You can also click here to change the order, so say we wanted to sort like that. You can do that or you wanted to sort on the title, you can click the title. So once again, like the other ones, we can change the filters up here as well by clicking filter and taking what we want to see and what we don't want to see.

So, DLP false positives. Now this can be useful if you're in a reasonable size organization and you are getting a lot of false positives. This is where you would look to find the false positives and see what has been overridden and then be able to change your policies based on them. So the same sort of stuff where we were saying before, that you may need to tweak the policies. This would be where to go to find those policies that do need tweaking. So, if you find something that is getting a lot of matches and getting a lot of overrides and people are saying that it's a false positive, you would be able to see that in here. So you would see here the date and the rule, the title, the actor, the action. And then why the action was taken.

We haven't got any false positives in our test system here to view, but it basically looks the same as all of the other reports. It's the same sort of dashboard, same sort of logic. So that's basically it for reporting on our DLP policies. There is a bunch of other reports that you can use in the compliance center which we're not going to go into today just because we're running through the data loss prevention stuff. But yeah, as you can see to find the reports, you just go to reports. To find the alerts, you can go to alerts through here and we can say all of the alerts. The other option for finding the alerts is going into data loss prevention and then clicking Alerts inside of data loss prevention.

About the Author

Jake is an IT manager for a managed services company that works with small- to medium-size businesses and manages their IT. He mainly works with a Microsoft Stack, from Servers to Microsoft 365 & Azure. He also specializes in business process improvement helping businesses to leverage technology to speed up their workflows. Jake really enjoys testing out new technologies and seeing what they can do. Outside of work he enjoys kayak fishing, gardening, and going to the gym.