Home / Defender XDR / Data Loss Prevention
🔒

Microsoft Data Loss Prevention in XDR

Cross-product DLP signals integrated into the unified threat detection pipeline

Overview

What is DLP in XDR?

DLP signals from Microsoft Purview are integrated directly into the Defender XDR incident pipeline. DLP policy matches across Exchange, SharePoint, Teams, and endpoints are correlated with other threat signals for unified investigation and response.

Capabilities

Core Capabilities

Unified DLP Alerts in XDR

DLP policy matches surface as alerts in the Defender XDR portal alongside endpoint and identity threats.

Cross-Signal Correlation

DLP events correlated with endpoint, email, and identity signals for complete attack context.

Adaptive Protection Integration

DLP policy strictness adjusts automatically based on Insider Risk Management user risk levels.

Endpoint DLP

Monitor and control file operations on endpoints: USB copy, print, clipboard, cloud upload.

Cloud App DLP

Extend DLP policies to discovered cloud apps through Defender for Cloud Apps integration.

Incident Investigation

Investigate DLP incidents with entity timelines, impacted files, and user activity across products.
Hands-on Labs

DLP Labs

Deploy endpoint DLP, configure policies for Teams and Exchange, investigate DLP incidents in the unified XDR portal, and build enterprise DLP dashboards.

01
Beginner⏱ 75 min · 10 steps

Deploy Endpoint DLP with Defender XDR Integration

Deploy Microsoft Purview Endpoint DLP with Defender XDR integration to monitor and control sensitive data on devices including USB, print, clipboard, and cloud upload activities.
02
Intermediate⏱ 90 min · 10 steps

Configure DLP for Microsoft Teams & Exchange

Configure DLP policies for Teams chat and channels, Exchange Online email with tiered enforcement, policy tips for user coaching, and custom sensitive information types.
03
Intermediate⏱ 120 min · 10 steps

Investigate DLP Incidents in the Unified XDR Portal

Investigate DLP incidents in Defender XDR, correlate DLP alerts with identity and endpoint signals, hunt for data exfiltration with KQL, and build automated response playbooks.
04
Advanced⏱ 150 min · 10 steps

Build an Enterprise DLP Dashboard & Compliance Program

Build enterprise DLP dashboards with KPI metrics, unify policies across Microsoft 365, create PCI-DSS and GDPR compliance evidence, and measure program effectiveness.
Scripts

DLP Scripts

Ready-to-run PowerShell scripts for lab simulations. View all scripts →

ScriptDescriptionLevelParameters
Deploy-EndpointDLP.ps1Endpoint DLP deployment: USB/print/clipboard rules, user notificationsIntermediate-Action [Deploy|Review|Cleanup]
Invoke-DLPIncidentHunting.ps1KQL hunting: risky identity + DLP, exfiltration, override abuseAdvanced-QuerySet [RiskyIdentity|Exfiltration|All]
Learn

DLP in XDR Resources

📘
DLP Documentation
Complete Data Loss Prevention documentation
🎓
DLP Alerts in Defender
Investigate DLP alerts in the Microsoft Defender portal
📊
Adaptive Protection
Dynamic DLP enforcement based on insider risk levels
🔗
Endpoint DLP Setup
Get started with Endpoint Data Loss Prevention
FAQ

Data Loss Prevention FAQ

How does DLP integrate with Defender XDR?

Microsoft Purview DLP alerts are natively integrated into the Defender XDR incident pipeline:

  • Alert correlation: DLP policy matches generate alerts that flow into Defender XDR and are automatically correlated with other threat signals. A DLP violation by a user who also has a risky sign-in detection becomes a single unified incident.
  • Cross-signal investigation: Within the incident, analysts can see the DLP violation alongside the user's endpoint activity (MDE), email behaviour (MDO), identity risk (Entra ID), and cloud app usage (MDA) on a single timeline.
  • Response actions: From the unified incident, analysts can isolate the user's device, disable the account, revoke sessions. all while investigating the DLP violation.
  • Advanced hunting: DLP events are queryable in the DeviceEvents table via advanced hunting, enabling KQL-based correlation with other data sources.

This integration is critical because data loss is rarely an isolated event. A user copying files to USB might be a departing employee (HR signal), using stolen credentials (identity signal), or operating from a compromised device (endpoint signal).

DLP alerts dashboard

What workloads does Endpoint DLP cover?

Endpoint DLP monitors and controls sensitive data operations on Windows 10/11 and macOS devices:

  • Copy to removable media (USB): Block, warn, or audit when users copy files containing sensitive data to USB drives, external hard drives, or SD cards
  • Print: Block or warn when printing documents containing sensitive information types or sensitivity labels
  • Copy to clipboard: Audit clipboard operations that copy sensitive content between applications
  • Upload to cloud service: Block uploads of sensitive files to specific cloud services (e.g., block personal Dropbox but allow corporate OneDrive)
  • Access by unallowed apps: Prevent specific applications from opening files with certain sensitivity labels
  • Transfer via Bluetooth: Block sensitive file transfers via Bluetooth connections
  • Network share copy: Monitor file copies to network shares

Each activity can be set to Audit (log only), Warn (show notification, allow override with justification), or Block (prevent the action entirely).

Prerequisite: Devices must be onboarded to Microsoft Defender for Endpoint (MDE). Endpoint DLP uses the MDE sensor for monitoring.

Endpoint DLP

What are Sensitive Information Types (SITs)?

SITs are the detection engine behind DLP policies. They identify specific categories of sensitive data in content:

  • Built-in SITs (300+): Credit card numbers, Social Security Numbers, passport numbers, bank account numbers, driver's licence numbers, health plan IDs, and national ID formats for 100+ countries
  • Custom SITs: Create your own using regex patterns, keyword lists, or dictionaries. Example: internal project codes (PROJ-\d{6}), employee IDs, or custom account number formats.
  • Exact Data Match (EDM): Upload structured data (e.g., a table of customer records) and DLP detects exact matches in content. Highest accuracy for known-data scenarios.
  • Named entities: ML-powered detection for complex entity types like person names, physical addresses, and medical terms
  • Trainable classifiers: ML models pre-trained on categories like source code, financial statements, resumes, and harassment content
  • Confidence levels: Each SIT detection has a confidence level (High, Medium, Low) based on pattern strength, proximity of corroborating evidence, and checksum validation

DLP policies reference SITs in their conditions; a single policy can detect multiple SITs with different thresholds and actions per SIT.

SIT overview

Can users override DLP blocks?

Yes. DLP policies support flexible override options that balance security with user productivity:

  • Allow override with justification: The user sees a policy tip explaining what was detected. They can click "Override" and provide a business justification (free text). The action is allowed and the justification is logged.
  • Allow override without justification: The user can proceed without explanation. Less friction but less audit trail.
  • Allow override by reporting false positive: The user indicates the detection was incorrect. Useful for training DLP accuracy.
  • No override: The action is blocked with no way for the user to proceed. Reserved for highest-severity data (e.g., 10+ credit card numbers in a single file).

Override monitoring: All overrides are logged in Activity Explorer and can be reported on. Create alerts for users with excessive override counts. a pattern of frequent overrides may indicate intentional data exfiltration.

Best practice: Use "warn with override" for medium-severity matches and "block with no override" for high-confidence, high-volume matches. This provides security coaching while respecting legitimate business needs.

Policy tips reference

What is Adaptive Protection?

Adaptive Protection dynamically adjusts DLP enforcement based on each user's insider risk level, creating personalised security controls without manual policy management:

  • How it works: Insider Risk Management continuously calculates a risk level (Minor, Moderate, Elevated) for each user based on their cumulative activities. Adaptive Protection feeds this risk level into DLP policies as a condition.
  • Dynamic enforcement: A user with "Elevated" risk automatically gets stricter DLP controls (block USB, block external email) while a user with "Minor" risk gets standard controls (audit only). The controls adjust in real time as risk changes.
  • No manual intervention: Security teams don't need to manually adjust DLP policies for individual users. The system automatically escalates and de-escalates enforcement based on behaviour.
  • Example scenario: An employee gives their 2-week notice. Insider Risk detects the HR signal and elevates their risk level. Adaptive Protection automatically blocks USB transfers and untrusted cloud uploads for that user until their last day. without any analyst action.

Adaptive Protection requires both Microsoft 365 E5 (for Insider Risk) and DLP. It represents the most advanced form of data protection: security controls that are proportional to actual risk.

Adaptive Protection

What licensing is required for DLP?

DLP capabilities are tiered across licence levels:

  • Microsoft 365 E3: Basic DLP for Exchange Online only (email). Manual sensitivity labels. No endpoint DLP, no Teams DLP, no SharePoint DLP.
  • Microsoft 365 E5 / E5 Compliance: Full DLP across all workloads: Exchange, SharePoint, OneDrive, Teams chat/channels, Endpoint devices, Power BI, and on-premises file shares. Plus advanced features: Exact Data Match, trainable classifiers, Adaptive Protection.
  • E5 Information Protection & Governance: Standalone add-on to E3 for full DLP without the full E5 suite

For organisations with E3 that need DLP beyond Exchange, the E5 Compliance add-on or E5 Information Protection add-on provides the most cost-effective upgrade path.

DLP licensing

← Back to Defender XDR