Data Loss Prevention

Question 1

What is the primary goal of Microsoft Purview Data Loss Prevention (DLP)?

Answer 1

To avoid unintentional data leaks and ensure sensitive data is protected.

Question 2

How does DLP identify and monitor sensitive data?

Answer 2

DLP identifies sensitive data and monitors specific locations (e.g., SharePoint, OneDrive, Exchange, endpoints) for potential breaches.

Question 3

What happens when a DLP rule is breached?

Answer 3

Automated actions are triggered based on the rule’s conditions, and alerts are generated, which can be reviewed and responded to in the Compliance Portal.

Question 4

How does DLP help educate users?

Answer 4

DLP policies provide policy tips or notifications to educate users when they unintentionally risk data leakage.

Question 5

What tools in the Data Classification view help identify sensitive content?

Answer 5

The Content Explorer and the Activity Explorer.

Question 6

What does the Content Explorer do?

Answer 6

It allows you to search documents and emails by Sensitive Information Types (SITs) and filter information across SharePoint, OneDrive, and Exchange.

Question 7

What does the Activity Explorer track?

Answer 7

It logs the last 30 days of actions on labeled data, providing insights into activities like sharing or printing sensitive documents.

Question 8

How can Trainable Classifiers be used in DLP?

Answer 8

Trainable Classifiers help identify more complex, custom-sensitive information that does not fit pre-built SITs.

Question 9

What is the difference between pre-built and custom DLP policies?

Answer 9

Pre-built policies are designed to comply with regulatory standards (e.g., GDPR, HIPAA), while custom policies allow you to define specific rules tailored to your organization.

Question 10

What are the steps to configure a DLP policy?

Answer 10

1) Choose pre-built or custom, 2) Name the policy, 3) Select locations, 4) Define policy settings, 5) Choose the policy mode (Test or Enforce).

Question 11

What is the difference between Test Mode and Enforce Mode?

Answer 11

In Test Mode, policy breaches are logged but no actions are enforced. In Enforce Mode, actual actions (e.g., block or notify) are taken when breaches occur.

Question 12

What is the purpose of the Rule Editor in DLP?

Answer 12

The Rule Editor allows the creation of custom rules, with conditions, actions, and exceptions.

Question 13

What are the default rules in DLP based on?

Answer 13

Default rules are usually set to detect low-volume breaches (e.g., 1-2 policy breaches trigger a warning) and high-volume breaches (e.g., 100+ SITs shared externally trigger a security breach alert).

Question 14

What factors influence the conditions in a DLP rule?

Answer 14

Conditions depend on the locations being monitored (e.g., different conditions for email vs endpoints).

Question 15

What types of actions can DLP policies enforce?

Answer 15

Actions can include blocking, restricting, notifying users, or triggering DLP alerts.

Question 16

What is the Override feature in DLP actions?

Answer 16

It allows users to override restrictions if the rule breach is not severe, but they must justify their actions.

Question 17

What are the actions specific to Endpoint DLP?

Answer 17

Endpoint DLP can restrict file activities like copying, saving, or printing sensitive data on devices that have been onboarded.

Question 18

What must be done before devices can be monitored with Endpoint DLP?

Answer 18

Devices need to be onboarded into Microsoft Defender for Endpoint.

Question 19

Where can you configure DLP alerts in a policy?

Answer 19

In the Incident Reports section of each policy rule.

Question 20

How can DLP alerts be customized?

Answer 20

Alerts can be set to different severity levels and configured to be sent to specific recipients.

Question 21

What information does a DLP alert typically contain?

Answer 21

DLP alerts include details such as the rule breached, the sensitive data involved, and the user who triggered the alert.

Question 22

How should DLP alerts be handled in the Compliance Portal?

Answer 22

Alerts should be reviewed, and appropriate actions (e.g., resolving or escalating) should be taken to mitigate the risk.

Question 23

What are false positives in DLP, and why are they problematic?

Answer 23

False positives occur when a policy breach is triggered by non-sensitive data. They clutter the alert dashboard, reduce trust in the system, and cause users to ignore policy tips.

Question 24

What are false negatives in DLP, and why are they critical?

Answer 24

False negatives happen when a real breach does not trigger an alert, leading to undetected data leaks, which can result in severe consequences.

Question 25

Why is policy tuning important in DLP?

Answer 25

Tuning policies helps reduce false positives and false negatives, ensuring that DLP accurately detects and mitigates real risks.

Question 26

How does DLP integrate with other Microsoft Purview tools?

Answer 26

DLP integrates with tools like Insider Risk Management and Microsoft Defender to provide a comprehensive data protection strategy.

Question 27

What role do DLP reports play in managing data protection?

Answer 27

DLP reports provide insights into policy effectiveness, data protection trends, and allow admins to monitor and adjust policies for better outcomes.