Microsoft Purview DLP & Insider Risk Logs
Location
Microsoft Purview > Data Loss Prevention > Activity explorer and Insider Risk Management > CasesDescription
Data Loss Prevention policy match logs recording when sensitive data types (SSN, credit cards, health records, custom patterns) are detected in emails, files, Teams messages, or endpoint activities. Insider Risk Management correlates multiple signals into risk scores and cases.
Forensic Value
DLP logs identify the specific sensitive data types involved in a breach, directly informing regulatory notification requirements. Policy match events prove that documents containing PII, PHI, or financial data were shared externally or downloaded, establishing the scope of data exposure. Insider Risk Management cases aggregate indicators like mass file downloads, email forwarding to personal accounts, and resignation-correlated data hoarding into scored risk assessments.
Tools Required
Collection Commands
PowerShell
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -RecordType DLP -ResultSize 5000 | Export-Csv dlp_events.csv -NoTypeInformation
KQL
InformationProtectionLogs_CL | where TimeGenerated > ago(30d) | where Activity_s contains "DLPRuleMatch" | project TimeGenerated, UserId_s, Activity_s, PolicyName_s, SensitiveInfoType_s
Graph API
GET https://graph.microsoft.com/v1.0/security/alerts_v2?$filter=serviceSource eq 'microsoftDataLossPrevention' and createdDateTime ge 2024-01-01T00:00:00Z