Microsoft Purview DLP & Insider Risk Logs

m365-azureData Access & StorageCloud Admin PortalSIEM / Log Aggregator

Location

Microsoft Purview > Data Loss Prevention > Activity explorer and Insider Risk Management > Cases

Description

Data Loss Prevention policy match logs recording when sensitive data types (SSN, credit cards, health records, custom patterns) are detected in emails, files, Teams messages, or endpoint activities. Insider Risk Management correlates multiple signals into risk scores and cases.

Forensic Value

DLP logs identify the specific sensitive data types involved in a breach, directly informing regulatory notification requirements. Policy match events prove that documents containing PII, PHI, or financial data were shared externally or downloaded, establishing the scope of data exposure. Insider Risk Management cases aggregate indicators like mass file downloads, email forwarding to personal accounts, and resignation-correlated data hoarding into scored risk assessments.

Tools Required

Microsoft Purview Compliance PortalPowerShellMicrosoft Graph APISIEM (Sentinel)

Used in Procedures

Identify Data Staging and Compression Activity

analyze

Collect DLP Policy Alerts and Hits

collect

Covert Evidence Capture for Insider Threat

preserve

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical