Collect DLP Policy Alerts and Hits

CollectionP245 min

📤 Data Exfiltration 👤 Insider Threat 📧 Business Email Compromise

IR AnalystSwitch roles in the top navigation to see different perspectives.

Collect and analyze all Data Loss Prevention alerts and policy hits during the investigation window. DLP systems may have detected and logged exfiltration attempts that were missed by other controls.

Actions

1.Export Microsoft Purview DLP alerts: `Get-DlpDetailReport -StartDate T_START -EndDate T_END | Export-Csv dlp_alerts.csv`. Include policy name, matched sensitive info types, and actions taken.
2.Query the DLP dashboard for policy matches on the compromised user or host: filter by sender, endpoint, or IP address. Export the full match details including content snippets where available.
3.Cross-reference DLP hits with exfiltration timeline: align DLP alert timestamps with known staging and transfer events to build a complete data movement narrative.
4.Check for DLP policy bypasses: review if the attacker disabled or modified DLP policies: `Search-UnifiedAuditLog -Operations "Set-DlpPolicy","Remove-DlpPolicy","Set-DlpComplianceRule" -StartDate T_START -EndDate T_END`.

Queries

CloudAppEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where ActionType has "DLP" | project Timestamp, AccountDisplayName, ActionType, IPAddress, RawEventData | order by Timestamp asc

index=dlp sourcetype=symantec:dlp OR sourcetype=forcepoint:dlp | where _time >= T_START AND _time <= T_END | stats count by policy_name, severity, action, src_user, dest | sort -count

OfficeActivity | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where Operation has "DLP" | project TimeGenerated, UserId, Operation, PolicyId, ConditionName, SensitiveInfoType | order by TimeGenerated asc

Notes

DLP alert data often contains content snippets showing what sensitive data was matched. Handle this evidence with extra care -- it may contain the actual PII/PHI that was exfiltrated.
Many DLP policies are set to "log only" mode and did not block the transfer. Document whether the DLP action was "block" or "audit" for each alert.

Where to Go Next

DLP confirms sensitive data exfiltration

Confirm exfiltration channels

Exfil Channels

DLP policy tampered with by attacker

Investigate how attacker modified DLP

Lateral Movement

DLP data collected, proceed to containment

Block active exfiltration

Block Exfiltration

Related Artifacts

Unified Audit Log (UAL)

Microsoft Purview > Audit > Search (or Search-UnifiedAuditLog cmdlet)

Microsoft Purview DLP & Insider Risk Logs

Microsoft Purview > Data Loss Prevention > Activity explorer and Insider Risk Management > Cases

Suggested Acquisition

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical