How to identify M365 DLP rule matches in Exchange Online
Last updated on:In this page
- How to find Exchange Online DLP email matches using Microsoft Purview
- How to find Exchange Online DLP email matches using Security & Compliance PowerShell
- How to view a list of DLP incidents in M365 Manager Plus
- Monitor your Exchange Online DLP policies and more
- Important tips
- Frequently asked questions
Tracking down specific emails flagged by your Exchange Online Data Loss Prevention (DLP) policies is a common requirement during a security audit or incident investigation. When a DLP rule match is detected, it signals a potential data leak or a misconfiguration that requires immediate attention. The manual approach involves digging through message traces and incident reports, which is slow and unreliable.
This guide shows you how to identify email matches using Microsoft's native tools, and how you can do it faster and simpler with ManageEngine M365 Manager Plus, a dedicated Microsoft 365 administration tool.
- Microsoft Purview
- Graph PowerShell
- M365 Manager Plus
Method 1: How to find Exchange Online DLP email matches using Microsoft Purview
Prerequisites
You need to be assigned the Compliance Administrator or a similar role with permissions to view DLP reports.
Steps
- Log in to the Microsoft Purview compliance portal.
- Navigate to Solutions > Data loss prevention.
- Select Explorers > Activity Explorer.
- Click the Activity filter, select DLP Rule Matched, and click Apply.
- Click the Location filter, select Exchange, and click Apply.
Method 2: How to find Exchange Online DLP email matches using Security & Compliance PowerShell (Export-ActivityExplorerData)
Before using Security & Compliance PowerShell, verify that:
- The Compliance Administrator role is applied to the account you use to sign in to Security & Compliance PowerShell.
- The ExchangeOnlineManagement PowerShell module is installed. This module is required to connect to Security & Compliance PowerShell.
- To check if the ExchangeOnlineManagement PowerShell module is installed use this script:
Install-Module ExchangeOnlineManagement -Scope CurrentUser - Connect to Security & Compliance PowerShell with this script:
Import-Module ExchangeOnlineManagement Connect-IPPSSession
- To check if the ExchangeOnlineManagement PowerShell module is installed use this script:
Using Export-ActivityExplorerData to find Exchange Online DLP email matches
The Export-ActivityExplorerData cmdlet starts an asynchronous job to export data from the Activity Explorer. After running the command, you must download the results from the Microsoft Purview portal.
Use this syntax to start an export job for all DLP incidents from the last 7 days:
Export-ActivityExplorerData -StartTime (Get-Date).AddDays(-7) -EndTime (Get-Date) -ActivityType DlpRuleMatch -Source Exchange
After running the script, navigate to the Activity explorer in the Microsoft Purview portal and go to the Exports tab to download the generated CSV report.
Supported parameters
The following table contains some key parameters for the Export-ActivityExplorerData cmdlet to refine your search for DLP email incidents.
| Parameter | Description |
|---|---|
| StartTime | Specifies the start date and time of the activity log export |
| EndTime | Specifies the end date and time of the activity log export. |
| ActivityType | Filters for specific events. Use DlpRuleMatch for DLP incidents. |
| Policy | The name of the DLP policy you want to get data for. |
| Source | The location where the activity occurred. For emails, use Exchange. |
| User | The user principal name (email address) of the user who performed the activity. |
Method 3: How to view a list of DLP incidents in M365 Manager Plus
M365 Manager Plus simplifies compliance management by providing prebuilt reports that enable you to view DLP incidents without needing to use PowerShell.
- Log in to M365 Manager Plus and click the Reports tab.
- Navigate to Exchange Online Reports > Mail Traffic Reports and select DLP Policy Matches.
- Click Export As and select your desired file format (CSV, XLSX, PDF, or HTML) to export the list of DLP policy matches.
Monitor your Exchange Online DLP policies and more
M365 Manager Plus enhances your Exchange Online data loss prevention strategy by turning complex compliance data into clear, actionable reports.
Real-time alerts on DLP incidents
Configure instant alerts for high-severity DLP violations. Get notified immediately when sensitive data is at risk, enabling you to take swift action to mitigate threats.
Bulk mailbox management
Simplify daily administrative tasks. Perform bulk actions like managing mailbox permissions (Send As, Send on Behalf, Full Access), configuring auto-replies, and setting storage quotas without complex scripting.
Comprehensive Exchange Online mailbox reports
Generate over 100 prebuilt reports on mailbox sizes, mail traffic, permissions, and inactive mailboxes. Gain full visibility into your Exchange Online environment without complex filtering or checking one mailbox at a time.
Eliminate PowerShell Complexity
Run detailed reports and perform complex management tasks in just a few clicks. M365 Manager Plus replaces the need to write, test, and maintain complex PowerShell scripts for your Exchange Online administration.
Important tips
Regularly audit DLP policy matches: Periodically review your DLP matches with scheduled audits to make sure you act on any possible data leaks as soon as possible.
Configure sensitivity labels: Configure sensitivity labels as DLP rules to receive specific alerts based on the data that triggers the DLP policy.
Implement Adaptive Protection: Enhance security by integrating Microsoft Purview's Adaptive Protection with your DLP policies to apply them only to high-risk users.
Frequently asked questions
You can create a Microsoft 365 DLP policy in the Microsoft Purview compliance portal. Navigate to Data loss prevention > Policies, click Create policy, and use a template or create a custom policy. You can then proceed to name the policy, choose locations (like Exchange Online email), and configure the rules and actions of your DLP policies.
To view all M365 DLP policies, go to the Data loss prevention > Policies page in the Microsoft Purview compliance portal. To export a list of your DLP policies using PowerShell, use the script mentioned below using the Get-DlpCompliancePolicy cmdlet and pipe the output to a CSV file.
Get-DlpCompliancePolicy | Select-Object Name, Mode, Enabled | Export-Csv -Path "C:\temp\DLP_Policies.csv" -NoTypeInformation
You can track DLP policy modifications by searching the Microsoft Purview audit log. for activities such as "NewDlpCompliancePolicy," "SetDlpCompliancePolicy," or "RemoveDlpCompliancePolicy." The audit log will show which administrator made the change and when.
To get a list of all DLP policies in your environment, connect to Security & Compliance PowerShell and run the Get-DlpCompliancePolicy cmdlet. You can use it with Select-Object to view specific details, like this:
Get-DlpCompliancePolicy | Select-Object Name, IsEnabled, Mode