Investigate compromised entities from Purview DLP policies
5 minutes
5 Questions
When investigating compromised entities from Microsoft Purview Data Loss Prevention (DLP) policies within Microsoft Sentinel, security analysts must follow a systematic approach to identify and remediate potential data breaches. Purview DLP policies help organizations protect sensitive information …When investigating compromised entities from Microsoft Purview Data Loss Prevention (DLP) policies within Microsoft Sentinel, security analysts must follow a systematic approach to identify and remediate potential data breaches. Purview DLP policies help organizations protect sensitive information by detecting and preventing unauthorized sharing or access to confidential data. When a DLP policy triggers an alert, it indicates that sensitive data may have been exposed or mishandled, requiring thorough investigation. The investigation process begins with accessing the incident queue in Microsoft Sentinel, where DLP-related alerts are aggregated. Analysts should examine the entity details, including user accounts, devices, IP addresses, and files involved in the policy violation. Microsoft Sentinel provides entity pages that consolidate all relevant information about a potentially compromised entity, showing timeline activities, related alerts, and behavioral patterns. Key investigation steps include reviewing the specific DLP policy that was triggered, understanding what type of sensitive information was detected (such as credit card numbers, social security numbers, or confidential documents), and determining the scope of the potential breach. Analysts should examine user activities before and after the incident, looking for unusual patterns like bulk downloads, external sharing attempts, or access from unfamiliar locations. Correlation with other security signals is essential. Analysts should check if the same user or device has triggered other security alerts, which might indicate a broader compromise. Using KQL queries in Microsoft Sentinel allows for deeper analysis of related events and helps establish a complete picture of the incident. Remediation actions may include revoking user access, blocking external sharing, initiating password resets, or escalating to the legal and compliance teams. Documentation of findings and actions taken is crucial for compliance purposes and future reference. Integration between Purview DLP and Microsoft Sentinel enables streamlined workflows for comprehensive incident response.
Investigate Compromised Entities from Purview DLP Policies
Why It Is Important
Investigating compromised entities from Microsoft Purview Data Loss Prevention (DLP) policies is critical for security operations analysts because it helps identify users, devices, or applications that may have violated data protection policies. When sensitive data is exposed or exfiltrated, rapid investigation minimizes damage, ensures compliance with regulations like GDPR and HIPAA, and helps prevent future incidents. This capability bridges the gap between data protection and security operations, enabling a unified response to potential data breaches.
What It Is
Purview DLP policies monitor and protect sensitive information across Microsoft 365 services including Exchange, SharePoint, OneDrive, Teams, and endpoints. When a DLP policy is triggered, it generates alerts that can be investigated in Microsoft Defender XDR. Compromised entities refer to users, devices, files, or locations involved in DLP policy violations that may indicate malicious activity, insider threats, or compromised accounts attempting to exfiltrate sensitive data.
How It Works
1. Alert Generation: DLP policies detect sensitive content matches and generate alerts based on configured rules and severity levels.
2. Alert Correlation: Microsoft Defender XDR correlates DLP alerts with other security signals to identify potential incidents involving compromised entities.
3. Investigation in Defender Portal: Analysts access the Microsoft Defender portal to review DLP alerts under Incidents & Alerts. Each alert shows the affected user, the sensitive information type detected, the location, and the action taken.
4. Entity Investigation: From the alert, analysts can pivot to investigate the user entity, examining their recent activities, sign-in patterns, and other alerts associated with that account.
5. Activity Explorer: Use Activity Explorer in the Purview compliance portal to view detailed DLP activity logs, including matched rules, file names, and user actions.
6. Content Explorer: Examine the actual sensitive content that triggered the policy to understand the scope of potential data exposure.
7. Remediation: Take actions such as blocking the user, revoking access, initiating an Automated Investigation and Response (AIR), or escalating to incident response teams.
Key Investigation Steps
- Review the DLP alert details in Microsoft Defender XDR - Identify the user and device associated with the violation - Check for patterns of repeated violations by the same entity - Correlate with other security alerts (sign-in anomalies, impossible travel) - Examine the sensitivity of exposed data using Content Explorer - Determine if the activity is intentional or accidental - Document findings and apply appropriate remediation
Exam Tips: Answering Questions on Investigate Compromised Entities from Purview DLP Policies
1. Know the portals: Understand that DLP alerts appear in both the Purview compliance portal and Microsoft Defender XDR. Questions may test which portal to use for specific tasks.
2. Understand alert integration: DLP alerts flow into Microsoft Defender XDR incidents. Know how to navigate from an incident to the underlying DLP policy violation.
3. Activity Explorer vs Content Explorer: Activity Explorer shows DLP activities and audit logs, while Content Explorer shows the actual sensitive content. Exam questions often test this distinction.
4. Entity pages: Remember that user entity pages in Defender XDR aggregate all alerts including DLP violations, providing a holistic view of potentially compromised accounts.
5. Response actions: Know available remediation options such as blocking users, triggering investigations, and configuring policy tips or overrides.
6. Sensitivity labels: Understand the relationship between DLP policies and sensitivity labels, as questions may combine these concepts.
7. Scenario-based questions: Expect scenarios where you must identify the correct sequence of investigation steps or choose the appropriate tool for a specific task.
8. Focus on integration: SC-200 emphasizes how different Microsoft security tools work together. Understand how Purview DLP integrates with Defender XDR, Sentinel, and Defender for Cloud Apps.