Bemærk
Adgang til denne side kræver godkendelse. Du kan prøve at logge på eller ændre mapper.
Adgang til denne side kræver godkendelse. Du kan prøve at ændre mapper.
This scenario shows how to enhance an existing Microsoft Purview DLP policy by enabling real-time alerting for policy matches involving U.S. PII data. Alerts are configured to notify administrators each time a match occurs, improving visibility and response readiness while the policy continues to run without restricting user activity.
This scenario is for an unrestricted admin modifying a full directory scoped policy.
Prerequisites and assumptions
This article uses the process you learned in Design a data loss prevention policy to show you how to create a Microsoft Purview Data Loss Prevention (DLP) policy. Work through these scenarios in your test environment to familiarize yourself with the policy creation UI.
Important
This article presents a hypothetical scenario with hypothetical values. It's only for illustrative purposes. Substitute your own sensitive information types, sensitivity labels, distribution groups, and users.
How you deploy a policy is as important policy design. This article shows you how to use the deployment options so that the policy achieves your intent while avoiding costly business disruptions.
This scenario uses the Confidential sensitivity label, so it requires you to create and publish sensitivity labels. To learn more, see:
- Learn about sensitivity labels
- Get started with sensitivity labels
- Create and configure sensitivity labels and their policies
This procedure uses a hypothetical distribution group Human Resources and a distribution group for the security team at Contoso.com.
This procedure uses alerts, see: Get started with the data loss prevention alerts
Policy intent statement and mapping
We, Contoso, have already deployed a policy to monitor U.S. Personally Identifiable Information (PII) activity on endpoint devices in audit mode. After reviewing initial results, we now want to enhance our visibility by ensuring that administrators are proactively notified when policy matches occur. To achieve this, we will modify the existing policy to generate alerts whenever low-volume PII-related activity is detected. These alerts will be sent in real time to administrators so they can quickly review and respond to potential risks. The policy will continue to operate without restricting user activity, maintaining the audit-first approach while improving incident awareness and response readiness.
| Statement | Configuration question answered and configuration mapping |
|---|---|
| “We want to enhance our existing monitoring policy without changing its scope…” | - Administrative scope: Full directory (unchanged) - Where to monitor: Devices (unchanged) - Existing policy reused and edited |
| “We want to generate alerts when U.S. PII policy conditions are matched…” | - Rule edited: Low volume of content detected scenarios U.S. PII Data Enhanced - Condition: Existing PII detection logic from template retained |
| “We want administrators to be notified automatically when matches occur…” | - Incident reports: Enable ‘Send an alert to admins when a rule match occurs’ - Recipients: Default admin and additional configured recipients |
| “We want immediate visibility into every matching event…” | - Alert frequency: Send alert every time an activity matches the rule |
| “We want to improve response readiness without disrupting users…” | - Protection actions: No blocking or restriction changes - Policy continues in audit/simulation behavior |
| “We want to validate alerting behavior alongside activity tracking…” | - Monitoring: Activity explorer used to correlate events and alerts - Testing: Trigger policy using test file with matching PII content |
Steps to create policy
Sign in to the Microsoft Purview portal > Data loss prevention > Policies.
Choose the U.S. Personally Identifiable Information (PII) Data Enhanced policy that you created in Scenario 1.
Choose Edit policy.
Go to the Customize advanced DLP rules page and edit the Low volume of content detected scenarios U.S. PII Data Enhanced.
Scroll down to the Incident reports section and toggle Send an alert to admins when a rule match occurs to On. Email alerts are automatically sent to the administrator and anyone else you add to the list of recipients.
For the purposes of this scenario, choose Send alert every time an activity matches the rule.
Choose Save.
Retain all your previous settings by choosing Next throughout the rest of the wizard, then Submit the policy changes.
Try to share a test item containing content that will trigger the U.S. Personally Identifiable Information (PII) Data condition. This should trigger the policy.
Check the activity explorer for the event.