Skip to content

Add DLP Incident Investigation Promptbook#217

Open
arunt14 wants to merge 2 commits intoAzure:mainfrom
arunt14:feature/dlp-investigation-promptbook
Open

Add DLP Incident Investigation Promptbook#217
arunt14 wants to merge 2 commits intoAzure:mainfrom
arunt14:feature/dlp-investigation-promptbook

Conversation

@arunt14
Copy link
Copy Markdown

@arunt14 arunt14 commented Apr 3, 2026
edited
Loading

Summary

Adds a comprehensive 8-step DLP Incident Investigation Promptbook — the first DLP-specific promptbook in the repository. It provides a structured, repeatable workflow for Security Analysts to investigate DLP incidents end-to-end.

Intended Audience

  • SOC Analysts investigating DLP alerts
  • Data Security Administrators performing DLP triage
  • Compliance Officers assessing data exposure risk
  • Incident Responders correlating activity across Microsoft 365

What This Adds

File: Promptbook samples/DLP Incident Investigation Promptbook.md

An 8-step investigation workflow that builds progressively:

Step Action What It Does
1 Alert Triage Retrieve and prioritize top DLP alerts by severity across all workloads
2 Alert Deep-Dive Summarize the specific alert — policy, sensitive info types, actions taken
3 User Risk Assessment Correlate insider risk level, DLP history, and Entra sign-in anomalies
4 File Activity Investigation Track file access, sharing, label changes, downloads, external exposure
5 Cross-Workload Correlation Map DLP violations across Exchange, Teams, SharePoint, OneDrive, Endpoints
6 Sensitivity Label Compliance Check for unlabeled, downgraded, or removed sensitivity labels
7 Exfiltration Analysis Detect email forwarding, USB copies, cloud uploads, external sharing
8 Investigation Summary Generate executive-ready report with remediation recommendations

Required Plugins

Prerequisites

  • Security Copilot enabled with appropriate permissions
  • Microsoft Purview, Defender XDR, and Entra plugins activated
  • DLP policies configured and active across workloads

Limitations

  • Results are limited to data retention periods configured in your tenant
  • Cross-workload correlation requires DLP policies enabled on the relevant workloads
  • The promptbook does not modify or remediate — it provides investigation insights only
  • AI-generated summaries should be validated before action

Gap Addressed

The repository contains 9 promptbooks for Defender/Sentinel workflows (anomalous sign-ins, phishing, threat bulletins, etc.) but zero promptbooks for DLP investigation — despite the Purview plugin having 40+ DLP skills. This promptbook fills that critical gap with a complete incident lifecycle workflow.

Responsible AI

  • Prompts are designed for security investigation use only
  • No automated remediation actions are taken
  • All outputs require human analyst validation
  • Follows existing promptbook patterns and standards in the repository

arunt14 added 2 commits April 3, 2026 15:13
@arunt14
Add DLP Incident Investigation Promptbook
e48d7bf 
Add a comprehensive 8-step DLP investigation promptbook that guides
security analysts through the complete DLP incident lifecycle:

- Alert triage and prioritization
- Alert deep-dive analysis
- User risk profile assessment
- File and data activity investigation
- Cross-workload DLP correlation (Exchange, Teams, SharePoint, Endpoints)
- Sensitivity label compliance checking
- Data exfiltration indicator analysis
- Executive-ready investigation summary with remediation recommendations

This addresses the gap of having zero DLP-specific promptbooks in the
repository while 9 other promptbooks exist for Defender/Sentinel workflows.
@arunt14
Enhance DLP promptbook with transparency template and documentation
3dfda3d 
Add Responsible AI Publishing Requirements compliance:
- Intended audience, uses, and supported Microsoft products
- Prerequisites with Microsoft Learn documentation links
- Limitations and disclaimer section
- Descriptive input parameter documentation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@arunt14