---
id: microsoft-purview-data-loss-prevention
title: Microsoft Purview Data Loss Prevention
sidebar_label: Microsoft Purview Data Loss Prevention
description: The Sumo Logic App for Microsoft Purview Data Loss Prevention outlines the steps required to collect and analyze the alert data from the Azure security platform to the Sumo Logic platform.
slug: /help/docs/integrations/microsoft-azure/microsoft-purview-data-loss-prevention/
canonical: https://www.sumologic.com/help/docs/integrations/microsoft-azure/microsoft-purview-data-loss-prevention/
---

import useBaseUrl from '@docusaurus/useBaseUrl';

<img src={useBaseUrl('img/integrations/microsoft-azure/microsoft-purview-data-loss-prevention.png')} alt="Microsoft Purview Data Loss Prevention icon" width="100"/>

Microsoft Purview Data Loss Prevention (DLP) is a tool that helps you prevent the accidental or intentional sharing of sensitive information, such as credit card numbers, social security numbers, or confidential business data, across Microsoft 365 environments.

It’s part of the Microsoft Purview suite, which focuses on data governance, compliance, and risk management.

This document outlines the steps required to collect and analyse the [Microsoft Purview Data Loss Prevention](https://www.microsoft.com/en-us/security/business/information-protection/microsoft-purview-data-loss-prevention) alerts in the Sumo Logic platform.

## Set up collection

:::note
Skip this step if you have already configured the Microsoft Graph Security API Source.
:::

Use the [Cloud-to-Cloud Integration for Microsoft Graph Security API](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/microsoft-graph-security-api-source/) to ingest security alerts data from the Microsoft Purview Data Loss Prevention to the Sumo Logic platform.

## Search alerts

Use the following query to retrieve alerts generated by the Microsoft Purview Data Loss Prevention.

```sumo
_sourcecategory=Labs/MicrosoftGraphSecurity
| json field=_raw "serviceSource" as service_source
| where service_source = "dataLossPrevention"
```

## Analyse alerts

Use the following query to extract detailed insights from the alert data:

```sumo
_sourceCategory=Labs/MicrosoftGraphSecurity  
|json"id","status","severity","category","title","description","classification","determination","serviceSource","detectionSource","alertWebUrl" ,"comments[*]","evidence[*]"as  alert_id,status,severity,category,title,description,classification,determination,service_source,detection_source,alert_url,comments,evidence_info nodrop
| where service_source = "dataLossPrevention"
| where severity matches "*" and status matches "*" and classification matches "*" 
| if(isNull(category),"-",category) as category
| if(isNull(classification),"-",classification) as classification
| if(isNull(determination),"-",determination) as determination
| count by _messageTime,status,severity,category,title,description,classification,determination,alert_url,alert_id
| formatDate(toLong(_messageTime), "dd-MM-yyyy HH:mm:ss") as time
| tourl (alert_url,alert_id) as alert_id
| fields time,alert_id,title,description,alert_url,status,severity,category,classification,determination
| fields -_messageTime    
| sort by time
```