Microsoft Purview DLP & Insider Risk Logs
Location
Microsoft Purview > Data Loss Prevention > Activity explorer and Insider Risk Management > CasesDescription
Data Loss Prevention policy match logs recording when sensitive data types (SSN, credit cards, health records, custom patterns) are detected in emails, files, Teams messages, or endpoint activities. Insider Risk Management correlates multiple signals into risk scores and cases.
Forensic Value
DLP logs identify the specific sensitive data types involved in a breach, directly informing regulatory notification requirements. Policy match events prove that documents containing PII, PHI, or financial data were shared externally or downloaded, establishing the scope of data exposure. Insider Risk Management cases aggregate indicators like mass file downloads, email forwarding to personal accounts, and resignation-correlated data hoarding into scored risk assessments.