Share via

Getting DLP health and sync status into other applications

Anonymous
2025-04-09T14:03:02+00:00

I am trying to pull in the DLP health sensor data that you can see in both the security portal and the compliance portal, specifically wanting to check if DLP is enabled and if the policy sync status is up to date for devices. We need an automated way to gather this information, or an automated way to alert on this information that can be pulled via an API.

There are API's for pulling the defender health information, but it doesn't contain any information on the DLP status. There doesn't seem any way to configure alerts for devices having DLP disabled or out of sync to at least pull the alert into another tool, or even alert within the microsoft tool itself. Is there any way of gathering this information, without having to manually go into the individual devices in the security portal or having to go into settings and device onboarding in the purview console?

Microsoft 365 and Office | Microsoft 365 Defender | Other | Other

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-04-09T20:33:48+00:00

    Hello Kai, Thank you for contacting Microsoft Community Support.You can access DLP health sensor data from both the Microsoft security portal and OneDrive by using Microsoft Sentinel or querying through the Microsoft Purview compliance portal.Accessing DLP Health Sensor Data:

    • Using Microsoft Defender Portal: Navigate to the Microsoft Defender portal to view DLP alerts. These alerts are crucial in assessing whether DLP is enabled and checking policy sync status for devices. Access the Incidents and Alerts section to review all incidents grouped under DLP alerts.
    • Integrating with Microsoft Sentinel: To extend your investigative capabilities, you can use the Microsoft 365 Defender connector in Microsoft Sentinel. This will allow you to pull in all DLP incidents, providing a unified view of security incidents across data sources including DLP alerts and health status. Ensure the CloudAppEvents event connector is enabled to pull all Office 365 audit logs into Sentinel. You can then view DLP incidents within Sentinel after setting up the connector.
    • Using Advanced Hunting: For more detailed queries and data extraction, utilize the advanced hunting capabilities within Microsoft Defender. You can query data using the KQL (Kusto Query Language) to focus on specific device sync statuses and DLP health indicators. Queries can be tailored to return specific DLP event types, user interactions, and policy matches, helping you understand the compliance posture across your organization.
    • Configuration and Automation: As you implement solutions, consider automating reports or alerts for devices with DLP disabled or out of sync using the existing APIs or automation rules in Sentinel. Automated scripts can aid in ongoing monitoring without manual checks per device.

    Hope this helps you, please feel free to reach out if you have any concern.

    Regards,

    Zenitsu | Microsoft Community Support Specialist

    0 comments