Microsoft Purview compliance portal: Endpoint Data Loss Prevention - Ability to fetch the original file resulting in policy match as evidence (Microsoft Managed storage)

🚨 The Signal: Endpoint DLP can now store copies of files that trigger policy matches in Microsoft-managed storage. This simplifies evidence collection for data exfiltration analysis, improving incident response and severity assessment.

The Impact

Security teams and DLP administrators are affected, gaining improved capabilities for investigating data loss incidents and assessing risk.

• Security Teams: Enhanced ability to investigate data exfiltration incidents.
• DLP Administrators: Simplified configuration for evidence collection.
• Compliance Officers: Better evidence for demonstrating data protection compliance.
• Incident Responders: Faster access to original files for severity assessment.

The Action

1. Navigate to Microsoft Purview compliance portal > Data loss prevention > Endpoint DLP settings.
2. Select 'Microsoft managed storage' for evidence collection.
3. Review existing Endpoint DLP policies to ensure they are configured to 'Store original file as evidence' where appropriate.

Domain: Purview · Impact: high · Workload: Microsoft Purview