Get started with the data loss prevention Alerts dashboard

Microsoft Purview Data Loss Prevention (DLP) policies can take protective actions to prevent unintentional sharing of sensitive items. When an action is taken on a sensitive item, you can be notified by configuring alerts for DLP. This article shows you how to define rich alert policies that are linked to your data loss prevention (DLP) policies. You'll see how to use the DLP alert management dashboard in the Microsoft Purview compliance portal to view alerts, events, and associated metadata for DLP policy violations.

If you are new to DLP alerts, you should review Learn about the data loss prevention alerts dashboard

Before you begin

Before you begin, make sure you have the necessary prerequisites:

• Licensing for the DLP alerts management dashboard
• Licensing for alert configuration options
• Required roles

Licensing for the DLP alert management dashboard

All eligible tenants for DLP can access the DLP alert management dashboard. To get started, you should be eligible for Microsoft Purview DLP for Exchange, SharePoint, and OneDrive. For more information about the licensing requirements for DLP, see Which licenses provide the rights for a user to benefit from the service?.

Customers who use Endpoint DLP who are eligible for Teams DLP will see their endpoint DLP policy alerts and Teams DLP policy alerts in the DLP alert management dashboard.

The content preview feature is available only for these licenses:

• Microsoft 365 (E5)
• Office 365 (E5)
• Advanced Compliance (E5) add on
• Microsoft 365 E5/A5 Information Protection and Governance
• Microsoft 365 E5/A5 Compliance

Licensing for alert configuration options

Single-event alert configuration: Organizations that have an E1, F1, or G1 subscription, or an E3 or G3 subscription, can create alert policies only where an alert is triggered every time an activity occurs.

Aggregated alert configuration: To configure aggregate alert policies based on a threshold, you must use one of these licensing configurations:

• An E5 or G5 subscription
• An E1, F1, or G1 subscription or an E3 or G3 subscription that includes one of the following features:
  • Office 365 Advanced Threat Protection Plan 2
  • Microsoft 365 E5 Compliance
  • Microsoft 365 eDiscovery and Audit add-on license

Roles

If you want to view the DLP alert management dashboard or to edit the alert configuration options in a DLP policy, you must be a member of one of these role groups:

• Compliance Administrator
• Compliance Data Administrator
• Security Administrator
• Security Operator
• Security Reader

To access the DLP alert management dashboard, you need the Manage alerts role and either of these two roles:

• DLP Compliance Management
• View-Only DLP Compliance Management

To access the Content preview feature and the Matched sensitive content and context features you must be a member of the Content Explorer Content Viewer role group, which has the Data classification content viewer role pre-assigned.

Roles and Role Groups

There are roles and role groups that you use to fine tune your access controls.

Here's a list of applicable roles. To learn more about them, see Permissions in the Microsoft Purview compliance portal.

• Information Protection Admin
• Information Protection Analyst
• Information Protection Investigator
• Information Protection Reader

Here's a list of applicable role groups. To learn more about them, see Permissions in the Microsoft Purview compliance portal.

• Information Protection
• Information Protection Admins
• Information Protection Analysts
• Information Protection Investigators
• Information Protection Readers

DLP alert configuration

To learn how to configure an alert in your DLP policy, see Configure and view alerts for data loss prevention policies.

Aggregate event alert configuration

If your organization is licensed for aggregated alert configuration options, then you'll see these options when you create or edit a DLP policy.

This configuration allows you to set up a policy to generate an alert every time an activity matches the policy conditions or when a certain threshold is exceeded, based on the number of activities or based on the volume of exfiltrated data.

Single event alert configuration

If your organization is licensed for single-event alert configuration options, then you'll see these options when you create or edit a DLP policy. Use this option to create an alert that's raised every time a DLP rule match happens.

Investigate a DLP alert

To work with the DLP alert management dashboard:

1. In the Microsoft Purview compliance portal, go to Data loss prevention.
2. Select the Alerts tab to view the DLP alerts dashboard.
3. Select an alert to see details:

4. Select the Events tab to view all of the events associated with the alert. (You can choose a particular event to view its details. For a list of some of the available event details, see, Learn about the data loss prevention Alerts dashboard.)

5. Select View details to open the Overview page for the alert. The overview page provides a summary:

   1. of what happened
   2. who performed the actions that caused the policy match
   3. information about the matched policy, and more

6. Choose the Events tab to access the:

   1. content involved
   2. sensitive information types matched
   3. metadata

7. After you investigate the alert, return to the Overview tab where you can manage triage and manage the disposition of the alert and add comments.

• To see the history of workflow management, choose Management log.
• After you take the required action for the alert, set the status of the alert to Resolved.

Limitation when downloading emails from within a DLP alert

In general, when using the DLP alert management dashboard, you can download specific emails from within an alert. However, emails that have been deleted in any of the following scenarios cannot be downloaded.

See also

• Learn about data loss prevention alerts and the alerts dashboard
• Create and Deploy data loss prevention policies