Alert Response: Purview, XDR & Cloud Apps
DLP alerts, insider risk alerts, Defender XDR incidents, and Cloud Apps file policy alerts all need response. Know which portal handles which alert type and how to respond effectively across platforms.
Alerts come from everywhere
Imagine you’re the head of security for a building complex with four separate alarm systems.
The fire alarm goes to the fire panel. The intruder alarm goes to the security desk. The car park barrier alarm goes to reception. And the server room temperature alarm goes to IT.
Microsoft’s information security alerts work similarly — DLP alerts appear in the Purview portal, insider risk alerts in IRM, security incidents in Defender XDR, and cloud app alerts in Defender for Cloud Apps. Knowing which console handles which alert type is critical for fast response.
Alert sources and portals
| Alert Type | Where It Appears | Generated By | Response Actions |
|---|---|---|---|
| DLP alerts | Microsoft Purview portal → DLP → Alerts | DLP policy rule matches | Review event details, view content, modify policy, dismiss, or escalate |
| Insider risk alerts | Purview → Insider Risk Management → Alerts | IRM policy triggers | Triage (confirm/dismiss), open case, investigate, send notice |
| Purview alerts in XDR | Microsoft Defender XDR → Incidents & Alerts | Purview alerts forwarded to XDR for unified view | Correlate with other security signals, assign to analyst, take remediation actions |
| Cloud Apps file policy alerts | Defender for Cloud Apps → Alerts | File policy matches in connected cloud apps | Quarantine file, remove sharing, apply label, notify user, close alert |
Responding to DLP alerts
DLP alert page (Purview portal)
| Information | What You See |
|---|---|
| Alert summary | Policy name, rule matched, severity, timestamp |
| User | Who triggered the alert |
| Content | The item (email, document, message) that matched |
| Match details | Which SIT matched, confidence level, instance count |
| Activity | What the user was doing (sharing, emailing, copying) |
| Location | Exchange, SharePoint, OneDrive, Teams, or endpoint |
Response actions for DLP alerts
| Action | When to Use |
|---|---|
| Dismiss | False positive — the match is incorrect or the activity is legitimate |
| View content | Inspect the actual content to confirm the detection accuracy |
| Override/resolve | Mark as resolved after taking corrective action |
| Modify policy | Adjust the DLP rule if the alert reveals a tuning issue |
| Escalate | Send to Insider Risk or eDiscovery for deeper investigation |
Responding to insider risk alerts
Insider risk alerts follow the workflow covered in Module 19:
- Triage: Confirm (escalate to case), Dismiss, or Resolve
- Case investigation: Timeline, content explorer, user activity
- Actions: Send notice, escalate to eDiscovery, resolve case
The key distinction: insider risk alerts are about behaviour patterns (the user is showing risky behaviour over time), not single events.
Purview alerts in Defender XDR
Microsoft Defender XDR provides a unified alert view that includes Purview alerts alongside security alerts from Defender for Endpoint, Defender for Office 365, and other Defender services.
Why alerts appear in XDR
| Benefit | What It Provides |
|---|---|
| Correlation | Link a DLP alert with a Defender for Endpoint alert — e.g., a user triggered DLP by sharing sensitive data AND their device is compromised |
| Unified investigation | One console for security teams instead of switching between Purview and Defender |
| Incident grouping | Related alerts from different sources are grouped into incidents |
| Automated investigation | XDR can automatically investigate and remediate some alert types |
Responding in XDR
| Action | What It Does |
|---|---|
| Assign | Assign the incident to a security analyst |
| Classify | Mark as true positive, false positive, or informational |
| Link alerts | Connect related alerts from different sources into one incident |
| Remediate | Take action — isolate device, disable account, block sender |
| Close | Resolve the incident with a classification |
Cloud Apps file policy alerts
When file policies in Defender for Cloud Apps detect violations:
Response actions
| Action | What It Does |
|---|---|
| Quarantine | Move the file to a quarantine folder — user cannot access it |
| Remove sharing | Remove external sharing links from the file |
| Apply label | Apply a sensitivity label to the file |
| Notify user | Send an email notifying the user of the policy violation |
| Notify admin | Alert the security or compliance team |
| Close alert | Dismiss or resolve after review |
Scenario: Marcus responds to a multi-platform alert
NovaTech’s security gets three alerts within an hour:
- DLP alert (Purview): A developer shared a document containing source code with an external email address
- Cloud Apps alert: The same document appeared in a connected Google Drive with external sharing enabled
- Defender XDR incident: The developer’s device shows unusual network traffic to an unknown IP
Marcus’s response:
- Opens Defender XDR to see all three alerts correlated into one incident
- The XDR correlation reveals: the developer’s account may be compromised — the sharing was not intentional
- Action: Disable the account (XDR), quarantine the Google Drive file (Cloud Apps), remove external sharing (DLP), initiate password reset
- Close: Classify as true positive — compromised account leading to data exposure
Exam tip: which portal for which alert
The exam tests your knowledge of alert routing:
- DLP policy match alert → Purview portal DLP alerts page
- Insider risk alert → Purview portal Insider Risk Management
- Cross-platform security incident → Microsoft Defender XDR
- Third-party cloud app file violation → Defender for Cloud Apps
If the question mentions correlation between DLP and endpoint alerts, the answer is Defender XDR (unified view). If it’s a standalone DLP alert, the answer is the Purview portal.
A DLP alert in the Purview portal shows that a user at St. Harbour Health emailed a document containing 15 patient identifiers to an external address. Simultaneously, Defender for Endpoint shows the user's device communicating with a known malware C2 server. Where should Dr. Liam investigate?
🎬 Video coming soon
Next up: DSPM for AI: Setup & Controls — the newest exam topic. Protect your organisation’s data from exposure through AI services like Microsoft Copilot.