3.3 Investigating DLP Alerts in the Defender Portal

12-16 hours · Module 3

Investigating DLP Alerts in the Defender Portal

SC-200 Exam Objective

Domain 3 — Manage Incident Response: "Investigate and remediate compromised entities identified by Microsoft Purview data loss prevention (DLP) policies."

Introduction

Subsection 3.2 taught you how DLP policies generate alerts. This subsection teaches you what to do when those alerts arrive in your queue. DLP alert investigation follows a different pattern from endpoint or identity alerts because the primary question is not “what attack technique was used?” but “was sensitive data actually exposed, and if so, how much and to whom?”

The investigation outcome determines the response severity. If the DLP policy blocked the email before delivery, sensitive data did not leave the organization — the incident is an attempted exfiltration (containment already successful, investigation focuses on the user and intent). If the policy was audit-only and the email was delivered, sensitive data has reached the external recipient — the incident is a confirmed data breach (response includes data breach notification assessment, potentially regulatory reporting, and containment of the ongoing compromise if the account was stolen).

This subsection walks through the complete DLP alert investigation workflow using the Defender XDR portal, teaches you the KQL queries that surface DLP investigation context, and covers the documentation requirements for DLP incidents that may have regulatory notification implications.

The DLP alert investigation workflow

Figure 3.5: The five-step DLP investigation workflow. Each step builds on the previous: triage establishes the alert's baseline significance, content review confirms whether the match is real, exposure check determines impact, context check identifies the root cause, and remediation + documentation closes the loop.

Step 1: Triage — assess the alert’s surface-level significance. Open the DLP alert in the Defender portal incident queue. Before examining any detail, read four pieces of information: the Sensitive Information Type that matched (credit card numbers, social security numbers, custom SIT), the confidence level (Low, Medium, High), the instance count (1 instance vs 200 instances), and the destination (internal Teams message vs external email to Gmail). These four data points give you an immediate severity estimate.

A single low-confidence match in an internal message → likely false positive, fast triage. Two hundred high-confidence matches in an email to an external address → potential data breach, full investigation. This initial assessment determines how much time you invest before moving to step 2.

Step 2: Content review — confirm the match is real. The DLP alert evidence panel shows a content preview with the matched text highlighted and sensitive values partially redacted. Examine the preview: is this actually a credit card number, or is it a product SKU that happens to be 16 digits? Is this actually a social security number, or is it a formatted phone number? Is the document actually confidential financial data, or is it a marketing brochure that discusses financial concepts?

Content review is where most DLP alerts are resolved. If the matched content is not genuinely sensitive, mark the alert as a false positive. If the content is genuinely sensitive, proceed to step 3.

For DLP alerts where the content preview is insufficient (large documents, multiple matches across different sections), you may need to examine the full document. Use the alert’s link to the source content (the email in Exchange, the file in SharePoint) to review the full context. For email DLP alerts, Threat Explorer (Module 1.3) can show the complete email metadata and content.

Step 3: Exposure check — was the data actually exfiltrated? This is the critical determination. The alert tells you sensitive data was detected in a policy-violating context. But was the data actually exposed?

Check the DLP action: was the email blocked, quarantined, or delivered? If blocked, the data stayed inside the organization — the incident is attempted exfiltration. If delivered, the data reached the external recipient — the incident is confirmed data exposure.

For SharePoint/OneDrive DLP alerts, check whether the sharing link was created (exposure) or whether the share attempt was blocked (attempt only). For endpoint DLP alerts, check whether the file copy to USB succeeded (exposure) or was blocked (attempt only).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
// Determine DLP alert outcome — blocked or delivered?
CloudAppEvents
| where Timestamp > ago(7d)
| where ActionType has "DlpRule"
| extend PolicyName = tostring(RawEventData.PolicyName)
| extend RuleAction = tostring(RawEventData.Actions)
| extend SITName = tostring(RawEventData.SensitiveInfoTypeName)
| extend Confidence = tostring(RawEventData.ConfidenceLevel)
| extend InstanceCount = toint(RawEventData.SensitiveInfoTypeCount)
| extend DestinationDomain = tostring(RawEventData.RecipientDomain)
| project Timestamp, AccountDisplayName, PolicyName, SITName,
    Confidence, InstanceCount, RuleAction, DestinationDomain
| order by Timestamp desc

Expected Output — DLP Alert Details with Action Outcome

Timestamp	User	SIT	Confidence	Count	Action	Destination
09:14:22	j.morrison	Credit Card	High	247	Audit	gmail.com
09:01:15	s.patel	UK NINO	Medium	1	Block	partner.co.uk

Critical finding: j.morrison's alert shows Action = "Audit" (not Block) with 247 credit card numbers sent to gmail.com. The data was delivered because the policy was audit-only. This is a confirmed data breach. s.patel's alert shows Action = "Block" — the data was prevented from leaving. This is an attempted violation that was successfully contained. The two alerts require completely different response procedures.

Step 4: Context check — why did this happen? The exposure check tells you what happened. The context check tells you why, which determines the response track.

Check the user’s account status: is this account compromised? Check the Defender XDR incident — are there correlated identity alerts (anomalous sign-in, impossible travel, token replay) for the same user? If yes, this is data exfiltration by an attacker using a compromised account. The DLP alert is a symptom of the broader compromise, and the response includes full incident response procedures from Module 1.2.

If the account is not compromised, check the user’s intent: is this an insider threat (deliberate data theft by an employee), a policy violation (the user knowingly sent data externally but believed it was acceptable), or an accident (the user attached the wrong file, selected the wrong recipient, or did not realize the content was classified as sensitive)?

Intent determines the response track. Attacker exfiltration → full incident response + data breach notification. Insider threat → escalate to IRM case management with HR and legal coordination. Policy violation → manager notification + policy retraining. Accident → user notification + no further action (for first occurrence).

Step 5: Remediate, document, and close. Based on the exposure check and context check, take the appropriate remediation actions.

For confirmed data exposure via compromised account: contain the account (Module 1.2 response actions), assess the data exposed (what types of sensitive data, how many records, whose data), determine notification requirements (GDPR requires notification within 72 hours if personal data of EU residents is exposed), document the complete incident in the incident report including the DLP evidence, and work with the compliance team to update the DLP policy from audit-only to block mode if this gap enabled the exposure.

For attempted exfiltration (blocked by DLP): document the attempt, investigate the account to determine whether it is compromised or the user is acting deliberately, and close the alert with appropriate classification (True Positive — blocked, or True Positive — escalated to IRM).

For false positives: mark the alert as False Positive, document the false positive pattern (what matched incorrectly and why), and report the pattern to the compliance team for policy tuning.

DLP investigation in KQL: beyond the portal view

The portal provides the alert view. KQL provides the investigation depth — answering follow-up questions that the portal interface does not surface directly.

Scope the user’s DLP history. Has this user triggered DLP alerts before? A first-time alert has different significance than a user who triggers alerts weekly.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
// DLP alert history for a specific user
CloudAppEvents
| where Timestamp > ago(90d)
| where ActionType has "DlpRule"
| where AccountDisplayName has "morrison"
| summarize AlertCount = count(),
    Policies = make_set(tostring(RawEventData.PolicyName), 5),
    SITs = make_set(tostring(RawEventData.SensitiveInfoTypeName), 5),
    ExternalDomains = make_set(tostring(RawEventData.RecipientDomain), 10)
    by bin(Timestamp, 7d)
| order by Timestamp desc

Scope the campaign — did the compromised account send sensitive data to multiple recipients? If the DLP alert shows one email to an external address, check whether there were additional emails to other external addresses that did not trigger DLP (because they contained different types of sensitive data not covered by the policy, or because the data volume was below the policy threshold).

1
2
3
4
5
6
7
8
9
// All external emails from the compromised account during the compromise window
EmailEvents
| where Timestamp between (datetime(2026-03-18 09:00) .. datetime(2026-03-18 12:00))
| where SenderFromAddress has "j.morrison"
| where RecipientEmailAddress !has "northgateeng.com"
| extend HasAttachment = (AttachmentCount > 0)
| project Timestamp, RecipientEmailAddress, Subject, HasAttachment,
    AttachmentCount, DeliveryAction
| order by Timestamp asc

Correlate DLP alerts with identity events. The most powerful DLP investigation technique is combining DLP data with sign-in data to determine whether the user who triggered the alert is the legitimate account holder or an attacker.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
// Correlate DLP alert with sign-in activity — same user, same time window
let dlpUser = "j.morrison@northgateeng.com";
let dlpTime = datetime(2026-03-18 09:14);
let window = 2h;
union
    (CloudAppEvents
        | where Timestamp between ((dlpTime - window) .. (dlpTime + window))
        | where AccountId =~ dlpUser
        | where ActionType has "DlpRule"
        | project TimeGenerated = Timestamp, Phase = "DLP",
            Detail = strcat("DLP: ", tostring(RawEventData.PolicyName)),
            SourceIP = IPAddress),
    (SigninLogs
        | where TimeGenerated between ((dlpTime - window) .. (dlpTime + window))
        | where UserPrincipalName =~ dlpUser
        | where ResultType == "0"
        | extend Country = tostring(LocationDetails.countryOrRegion)
        | project TimeGenerated, Phase = "Auth",
            Detail = strcat("Sign-in from ", Country, " via ", AppDisplayName),
            SourceIP = IPAddress)
| order by TimeGenerated asc

This union query produces a timeline that shows the DLP alert alongside the authentication events. If the sign-in before the DLP alert came from an unusual country or IP, the account is likely compromised. If the sign-in is from the user’s normal location and device, the DLP alert may be an insider risk or an accident.

Documentation requirements for DLP incidents

DLP incidents that involve confirmed data exposure have documentation requirements beyond standard security incident reporting. These requirements exist because data exposure may trigger regulatory notification obligations.

What to document in every DLP incident:

The sensitive data types detected (credit card numbers, personal data, healthcare records, financial data). The volume of exposed data (number of instances, number of unique records, number of affected individuals if personal data). The exposure vector (email to external recipient, file shared via link, copied to USB, uploaded to cloud storage). The exposure duration (how long was the data accessible before containment — for email, this is the time between delivery and recipient reading; for file shares, this is the time between share creation and share revocation). The recipients (who received or could access the exposed data — specific email addresses, or “anyone with the link” for SharePoint sharing). Whether the data was encrypted (sensitivity labels with encryption protect data even if it is exfiltrated — the recipient cannot read it without authorization).

This documentation feeds directly into the data breach notification assessment. Under GDPR, if personal data of EU residents is exposed, the controller must notify the supervisory authority within 72 hours and affected individuals “without undue delay” unless the exposure is unlikely to result in risk to rights and freedoms. Under UK GDPR, the same 72-hour requirement applies to the ICO. Your incident documentation provides the evidence base for this assessment.

DLP alert classification: the four outcomes

Every DLP alert resolves into one of four classifications. Knowing these before you start investigating prevents wasted time and ensures consistent documentation.

DLP Alert Classification Matrix

Classification	Content match?	Data exposed?	Action
True Positive — Blocked	✓ Real sensitive data	✗ Blocked by policy	Investigate intent, close as prevented
True Positive — Exposed	✓ Real sensitive data	✓ Delivered/shared	Full investigation + breach assessment
False Positive	✗ Not sensitive data	N/A	Close, report to compliance for tuning
Benign True Positive	✓ Real sensitive data	✓ But to authorized party	Close, verify authorization is documented

Triage efficiency: The classification determines how much investigation time the alert warrants. False positives take 30 seconds (check content preview, close). Blocked true positives take 5 minutes (verify the block, check user intent). Exposed true positives take 30-60 minutes (full investigation workflow). Benign true positives take 2 minutes (verify the recipient is authorized). Knowing the target classification early prevents over-investing in low-impact alerts.

Multi-workload DLP investigation: following the data trail

When a DLP alert fires in one workload (email), check whether the same user triggered DLP events in other workloads during the same window. An attacker who sends sensitive data via email may also download it from SharePoint, copy it to a USB drive, or upload it to a personal cloud service. A single-workload investigation misses the full exfiltration scope.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
// Multi-workload DLP check — did this user trigger DLP across multiple channels?
CloudAppEvents
| where Timestamp > ago(48h)
| where AccountDisplayName has "morrison"
| where ActionType has "DlpRule"
| extend Workload = tostring(RawEventData.Workload)
| extend PolicyName = tostring(RawEventData.PolicyName)
| extend SIT = tostring(RawEventData.SensitiveInfoTypeName)
| extend Action = tostring(RawEventData.Actions)
| summarize AlertCount = count(),
    SITs = make_set(SIT, 5),
    Actions = make_set(Action, 3)
    by Workload
| order by AlertCount desc

Expected Output — Multi-Workload DLP Activity

Workload	AlertCount	SITs	Actions
Exchange	3	["Credit Card Number"]	["Audit"]
OneDrive	7	["Credit Card","UK NINO"]	["Audit"]
Endpoint	2	["Credit Card Number"]	["Block"]

Multi-workload pattern: The user triggered DLP across three workloads: email (3 alerts), OneDrive sharing (7 alerts), and endpoint USB copy (2 alerts, blocked). The email investigation alone would have found 3 alerts. The multi-workload query reveals 12 total events — a much larger exfiltration scope. The endpoint DLP blocks suggest the user also attempted USB exfiltration but was prevented. This cross-workload view is essential for accurate scope assessment.

False positive management: closing the feedback loop

False positives waste SOC time and erode analyst confidence in DLP alerts. Every false positive should be tracked and reported to the compliance team for policy tuning. A structured false positive workflow prevents the same false positive from generating alerts indefinitely.

When you close a DLP alert as a false positive, document three things: the SIT that matched incorrectly (e.g., “Credit Card Number matched a 16-digit product SKU”), the content context (what the actual content was and why it is not sensitive), and a recommended tuning action (add an exclusion condition for this content pattern, or raise the minimum confidence level for this SIT). Report these to the compliance team weekly. Over time, this feedback loop reduces false positive rates and increases the signal-to-noise ratio of the alerts you investigate.

Track your false positive rate per DLP policy. If a policy generates more than 60% false positives, it needs tuning. If a specific SIT generates false positives in your environment that are not common elsewhere (a product numbering system that matches credit card patterns), the compliance team can add an exclusion condition specific to that pattern.

DLP + encryption = defense in depth

If the exposed document had a sensitivity label with encryption enabled, the data may be protected even though it left the organization. The external recipient cannot open the file without being authorized by the Rights Management Service. This does not eliminate the incident — the attempt still requires investigation — but it changes the data breach assessment from "data is exposed and readable" to "data was sent externally but remains encrypted and inaccessible." Document the encryption status in every DLP incident report.

Try it yourself

If you created a test DLP policy in the subsection 3.2 exercise and triggered a test alert, navigate to the Defender portal → Incidents and find the DLP alert. Open the alert evidence panel and examine: the SIT that matched, the confidence level, the instance count, the content preview (the test credit card number should be partially redacted), and the action taken (audit only, since you configured the test policy with audit action). Practice the five-step workflow: triage (low severity — test data), content review (test credit card number, not real), exposure check (audit-only, email was delivered), context check (you sent it intentionally), documentation (this is a test, no remediation needed). Close the alert as "Test — not a real incident."

What you should observe

The alert evidence panel shows the DLP policy name, the matched rule, "Credit Card Number" as the SIT, the confidence level, and a content preview showing the test credit card number (4111 1111 1111 ****). The action shows "Audit" — the email was delivered because the policy does not block. This exercise demonstrates the complete alert structure you will encounter during real DLP investigations. In a real scenario, the content would be actual sensitive data, the destination would be an untrusted external domain, and the investigation would determine whether the exposure was malicious or accidental.

Knowledge check

Check your understanding

1. A DLP alert shows 50 instances of "UK National Insurance Number" sent to an external address. The DLP action was "Block." Is this a data breach?

No — the data was blocked before delivery. The DLP policy successfully prevented the sensitive data from reaching the external recipient. This is an attempted data exposure, not an actual breach. However, the investigation is not complete: you still need to determine why the user attempted to send 50 NINOs externally. Was the account compromised (check for correlated identity alerts), was this an insider deliberately exfiltrating data (escalate to IRM), or was it an accidental attachment (user notification)?

Yes — the data was detected, so it was exposed

It depends on the confidence level of the SIT match

Yes — 50 instances is above the breach notification threshold

The DLP action determines exposure, not the SIT match. "Block" means the data stayed inside the organization. The incident is a successful prevention, not a breach. But prevention does not equal investigation closure — the intent behind the attempt still requires assessment. A compromised account attempting bulk exfiltration that DLP blocked is still a security incident requiring full investigation.

2. You are investigating a DLP alert for a user whose account you already confirmed is compromised via AiTM phishing. The DLP alert shows 200 credit card numbers sent to an external Gmail address with Action = "Audit" (delivered). Under GDPR, what is the notification deadline?

72 hours from the time you become aware of the breach. Under GDPR Article 33, the controller must notify the supervisory authority "without undue delay and, where feasible, not later than 72 hours after having become aware" of a personal data breach. The clock starts when your organisation determines that personal data was exposed — which is now, when you confirmed the DLP alert shows delivered (not blocked) credit card data to an external address. Begin the data breach notification assessment immediately and involve your Data Protection Officer.

30 days from discovery

No notification required — the data was credit cards, not personal data

72 hours from the time the email was sent

Credit card numbers are personal data under GDPR (they relate to identifiable individuals). The 72-hour clock starts from awareness, not from the time the breach occurred. Your DLP documentation — the SIT match details, instance count, delivery confirmation, and recipient domain — forms the evidence base for the notification. SOC analysts need to understand this deadline because the investigation timeline is constrained by it: you have 72 hours to determine the scope, assess the risk, and file the notification.

← 3.2 Data Loss Prevention: Policy Architecture and Alert Pipeline 3.4 Insider Risk Management: Policies, Indicators, and Risk Signals →