Skip to content

Add Chat and Communication Protection Plugin for Teams DLP#218

Open
arunt14 wants to merge 2 commits intoAzure:mainfrom
arunt14:feature/chat-communication-protection-plugin
Open

Add Chat and Communication Protection Plugin for Teams DLP#218
arunt14 wants to merge 2 commits intoAzure:mainfrom
arunt14:feature/chat-communication-protection-plugin

Conversation

@arunt14
Copy link
Copy Markdown

@arunt14 arunt14 commented Apr 3, 2026
edited
Loading

Summary

Adds a new KQL-based community plugin with 9 dedicated skills for Microsoft Teams chat, channel, and meeting DLP investigation and communication compliance monitoring.

Intended Audience

  • SOC Analysts investigating DLP incidents involving Teams communications
  • Data Security Administrators monitoring Teams DLP policy effectiveness
  • Compliance Officers tracking communication compliance violations
  • Incident Responders building exfiltration timelines across Teams channels

What This Adds

Plugin: ChatCommunicationProtection

Location: Plugins/Community Based Plugins/ChatCommunicationProtection/
Files: KQL_ChatProtection.yml (plugin manifest) + Readme.md (documentation)

# Skill Purpose
1 ChatDLPGetTeamsChatAlerts DLP violations in private/group chat messages with policy details
2 ChatDLPGetChannelViolations Channel-level DLP alerts summarized by team, channel, and policy
3 ChatDLPGetExternalSharingInTeams Sensitive data shared with external/guest users through Teams
4 ChatDLPGetMeetingChatViolations DLP alerts triggered during Teams meeting chat sessions
5 ChatDLPGetUserOverrides DLP policy override/bypass pattern detection with justification tracking
6 ChatDLPGetCommunicationComplianceSummary Communication compliance violations across Teams and Exchange
7 ChatDLPGetSensitiveDataInChats Sensitive information type distribution and detection counts
8 ChatDLPGetChatExfiltrationTimeline Chronological exfiltration timeline combining DLP + file operations
9 ChatDLPGetTeamsPolicyCoverage DLP policy coverage analysis with gap identification

Prerequisites

Supported Microsoft Products

Sample Prompts

Get all DLP alerts triggered in Teams chat messages for user user@contoso.com in the last 14 days
Show me DLP violations in Teams channels grouped by team and channel
Which sensitive data has been shared with external users through Teams?
Get DLP violations from Teams meeting chats in the last 7 days
Show me users who have overridden DLP policies in Teams in the last 30 days
Get communication compliance violation summary for user@contoso.com
What types of sensitive information are being detected in Teams chats?
Build a data exfiltration timeline for user@contoso.com across Teams chat
Analyze DLP policy coverage for Teams communications — which policies are active and where are the gaps?

Limitations

  • Results are limited to the data retention period in your Defender XDR tenant
  • Communication compliance skills require communication compliance policies configured in Purview
  • Meeting chat detection requires DLP policies scoped to Teams chat; meeting recordings/transcripts are not analyzed
  • External/guest detection relies on #EXT# identifiers; federated tenant users may not be detected
  • Read-only investigation — does not block, modify, or remediate content

Gap Addressed

The existing Purview plugin (KQL_DataAnalyst.yml) has only 1 Teams-related DLP skill (DLPTeamsDetectionsUser) which provides basic alert-level data. This plugin adds 9 purpose-built skills covering:

  • ✅ Chat message-level DLP analysis (private, group, channel, meeting)
  • ✅ External/guest user data exposure detection
  • ✅ User override pattern analysis with justification tracking
  • ✅ Communication compliance integration (previously zero coverage)
  • ✅ Data exfiltration timeline reconstruction
  • ✅ DLP policy coverage gap analysis for Teams

Technical Details

  • Format: KQL queries targeting CloudAppEvents in Microsoft Defender XDR
  • Data source: CloudAppEvents table (MicrosoftTeams workload filter)
  • Auth: Standard Defender XDR permissions — no additional configuration needed
  • Pattern: Follows established KQL_DataAnalyst.yml patterns with {{parameter}} substitution

Responsible AI

  • Plugin provides read-only security investigation capabilities
  • No automated remediation or content modification
  • All outputs are query results requiring analyst interpretation
  • Compliant with Microsoft Responsible AI Publishing Requirements

arunt14 added 2 commits April 3, 2026 15:18
@arunt14
Add Chat and Communication Protection plugin for Teams DLP
bb00f3d 
Add a new KQL-based plugin with 9 skills for Teams chat, channel,
and meeting DLP investigation:

- ChatDLPGetTeamsChatAlerts: DLP violations in private/group chats
- ChatDLPGetChannelViolations: Channel-level DLP alerts by team
- ChatDLPGetExternalSharingInTeams: Sensitive data shared with guests
- ChatDLPGetMeetingChatViolations: DLP alerts in meeting chats
- ChatDLPGetUserOverrides: DLP policy override pattern detection
- ChatDLPGetCommunicationComplianceSummary: Communication compliance
- ChatDLPGetSensitiveDataInChats: Sensitive info type analysis
- ChatDLPGetChatExfiltrationTimeline: Exfiltration timeline builder
- ChatDLPGetTeamsPolicyCoverage: Policy coverage gap analysis

Addresses the critical gap where only 1 Teams DLP skill existed
(DLPTeamsDetectionsUser) with basic alert-level data only.
@arunt14
Enhance README with transparency template and upload instructions
8d7fbad 
Add Responsible AI Publishing Requirements compliance:
- Intended audience, uses, and supported Microsoft products
- Limitations and scope documentation
- Prerequisites with Microsoft Learn links
- Step-by-step plugin upload instructions
- Authentication configuration notes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@arunt14