Microsoft 365 DLP Alerts showing "No data available"

This is a question we get a lot, and I have not been able to find an article explaining this. In the DLP articles it usually just say that alerts will be shown under Data Loss Prevention - Alerts, which isn't the whole truth. I don't know if this has to do with when you created your tenant or something like that, but for some, these alerts just won't show up. In this blog post I will try to explain what needs to be done to get this working. 

Prerequisites for DLP and logging. 

I won't be going too deep into licensing here. If you want to know more, you can find it all in this article: Microsoft 365 Security&Compliance licensing guidance . We will just say that you will need an appropriate license for DLP. Now what kind you ask? Well, that depends. Do you want to use DLP for Microsoft Teams chat and channel messages? Then you would need Office 365 Advanced Compliance, which is available as a standalone option and is included in Office 365 E5 and Microsoft 365 E5 Compliance. If you just want Office 365 data loss prevention (DLP) for Exchange Online, SharePoint Online, and OneDrive for Business you can get this with Office 365 E3 (or equivalent). 

But there are more requirements. You will need a role that can give you access for DLP, so Compliance admin is a normal role to have to work with the compliance bit like DLP/AIP etc. 

But I have all this, why can't I see the alerts? 

Picture 1 - Where are my alerts?
 

I struggled with this myself, and with the help of Microsoft I was told that for these to show up, we will need an alert policy. And here we see one of the issues with working with M365. We have the new portals (Security portal, Compliance portal) but there are still some things we need to do in the old Security & Compliance portal. This is one of them. We need to go to https://protection.office.com/ and then Alerts, and under Alerts we see the option Alert policies. Select Alert policies and then +New alert policy. 

 Picture 2 - New Alert policy

This will bring up the following: 

Picture 3 - Name your alert

Give the new policy a name, a desciption, choose a severity and then choose  Data loss prevention as category before you go to next where we will look at alert settings.

Picture 4  - Create  alert settings. 

This is where we select an activity. Since we are looking for DLP we search for and find DLP policy match. We can also decide how we want the alert to be triggered and more before we go to next. Set your recipients.


Picture 5 - Set your recipients

Select email recipients here and then next to go to review our settings. 

 


Picture 6 - Review our settings

If you are happy with what you see here, select Finish. It is good to know that when we have created this it will still take a couple of hours (maybe more, maybe less) before we see the results. 

Picture 7 - DLP policy matches now visible under Alerts. 

I am a big fan of DLP, and all the things we can use it for. These days you can use Endpoint DLP, use DLP on on-premises repositories and it keeps getting better and better. I have been a little slow on the blogging front lately, but hopefully this was helpful. I will try to be a little more productive and add more content in the future. 

Comments

Post a Comment

Popular posts from this blog

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label