View the reports for data loss prevention

After you create your data loss prevention (DLP) policies, you’ll want to verify that they’re working as you intended and helping you to stay compliant. With the DLP reports in Office 365, you can quickly view the number of DLP policy matches, overrides, or false positives; see whether they’re trending up or down over time; filter the report in different ways; and view additional details by selecting a point on a line on the graph.

You can use the DLP reports to:

  • Focus on specific time periods and understand the reasons for spikes and trends.

  • Discover business processes that violate your organization’s DLP policies.

  • Understand any business impact of the DLP policies.

  • View the justifications submitted by users when they resolve a policy tip by overriding the policy or reporting a false positive.

  • Verify compliance with a specific DLP policy by showing any matches for that policy.

  • View a list of files with sensitive data that matches your DLP policies in the details pane.

In addition, you can use the DLP reports to fine tune your DLP policies as you run them in test mode.

DLP report showing policy matches

View the DLP reports

  1. Office 365 admin center.

  2. Navigate to Admin centers > Security & Compliance. You're now in the Office 365Security & Compliance Center.

  3. Navigate to Reports > View reports. Under Data loss prevention (DLP), go to either DLP policy and rule matches or DLP false positives and overrides.

    Reports page in the Office 365 Security & Compliance Center

  4. You can filter the reports by date, location, and policy or rule.

    DLP report showing options to filter

  5. If you choose the DLP policy and rule matches report, select a point on a line on the graph to view details about matches.

    The details pane appears below the graph. Here you can view:

    • The specific rule and action that matched the content.

    • The file name and path of content that matched the rule.

    • Who last modified the content.

    • What types and count of sensitive information were detected.

    Note: A match is logged only the first time a file matches a rule. But if you edit a rule in a DLP policy, a newer version of the rule is created, so another match will be logged if the file matches the new version of the rule.

    DLP report with details pane below the chart

  6. If you choose the DLP false positives and overrides report, select a point on a line on the graph to view details about overrides or false positives.

    The details pane appears below the graph. Here you can view:

    • The specific rule that matched the content.

    • The file name and path of content that matched the rule.

    • Who last modified the content.

    • What types and count of sensitive information were detected.

    • The justifications submitted by users when they resolved a policy tip.

    DLP false positives and overrides report showing user justification text

Find the cmdlets for the DLP reports

To use most of the cmdlets for the Security & Compliance Center, you need to:

  1. Connect to the Office 365 Security & Compliance Center using remote PowerShell

  2. Use any of these Office 365 Security & Compliance Center cmdlets

However, DLP reports need pull data from across Office 365, including Exchange Online. For this reason, the cmdlets for the DLP reports are available in Exchange Online Powershell—not in Security & Compliance Center Powershell. Therefore, to use the cmdlets for the DLP reports, you need to:

  1. Connect to Exchange Online using remote PowerShell

  2. Use any of these cmdlets for the DLP reports:

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×