Skip to content

Add Enhanced DLP Analytics and Cross-Workload Correlation Plugin#219

Open
arunt14 wants to merge 2 commits intoAzure:mainfrom
arunt14:feature/dlp-alerts-cross-workload
Open

Add Enhanced DLP Analytics and Cross-Workload Correlation Plugin#219
arunt14 wants to merge 2 commits intoAzure:mainfrom
arunt14:feature/dlp-alerts-cross-workload

Conversation

@arunt14
Copy link
Copy Markdown

@arunt14 arunt14 commented Apr 3, 2026
edited
Loading

Summary

Adds a new KQL-based plugin with 7 advanced DLP analytics skills for cross-workload correlation, false positive analysis, policy health monitoring, and sensitivity label compliance tracking. Also adds 12 new sample prompts and comprehensive documentation.

Intended Audience

  • SOC Analysts investigating multi-workload DLP incidents
  • Data Security Administrators tuning DLP policy effectiveness
  • Compliance Officers assessing policy coverage and label compliance
  • Security Managers monitoring organizational DLP posture

What This Adds

Plugin: DLPEnhancedAnalytics

Location: Plugins/Community Based Plugins/Purview/KQL_DLPEnhanced.yml
Documentation: Plugins/Community Based Plugins/Purview/KQL_DLPEnhanced_README.md

# Skill Purpose
1 DLPCrossWorkloadCorrelation Unified view of user DLP violations across Exchange, Teams, SharePoint, OneDrive, Endpoints
2 DLPFalsePositiveAnalysis Override rate analysis with risk classification (High/Medium/Low/Minimal)
3 DLPPolicyCoverageGaps Detect workloads with zero DLP coverage — flags critical gaps
4 DLPHighRiskUsersAcrossWorkloads Multi-workload violation flagging with risk scores (Critical/High/Medium/Low)
5 DLPAlertTrendAnalysis Daily time-series trends with severity distribution for spike detection
6 DLPLabelDowngradeRemoval Track sensitivity label downgrades/removals (DLP bypass detection)
7 DLPPolicyHealthCheck Policy health dashboard: match rates, override rates, Healthy/Unhealthy status

Updated Sample Prompts

Location: Sample Prompts/Microsoft Purview/Readme.md

Added 4 new categories with 12 sample prompts:

  • Cross-Workload DLP Correlation — correlate alerts across all platforms
  • DLP False Positive Analysis — analyze override rates and policy effectiveness
  • DLP Policy Health and Coverage — health checks and coverage gap detection
  • Sensitivity Label Compliance — label downgrade and removal tracking

Prerequisites

Supported Microsoft Products

Relationship to Existing Plugin

This plugin complements the existing KQL_DataAnalyst.yml without overlap:

Capability Existing Plugin This Plugin
Per-workload DLP alerts ✅ 15 skills
Sensitivity file monitoring ✅ 16 skills
DLP policy tuning ✅ 5 skills
Cross-workload correlation
False positive analysis
Policy coverage gaps
High-risk user scoring
Alert trend analysis
Label downgrade tracking
Policy health dashboard

Sample Prompts

Correlate all DLP alerts for user user@contoso.com across all workloads in the last 14 days
Which DLP policies have the highest false positive override rates?
Identify DLP policy coverage gaps — which workloads have no protection?
Show me users with DLP violations across 2+ workloads — who are highest risk?
Show me DLP alert trends over the last 30 days — are there any spikes?
Which users have downgraded or removed sensitivity labels recently?
Run a DLP policy health check — show effectiveness for all policies

Limitations

  • Results limited to CloudAppEvents data retention period in your tenant
  • Cross-workload correlation requires DLP policies enabled on the relevant workloads
  • False positive analysis uses override rates as a proxy — high overrides may also indicate user training gaps
  • Policy coverage gap detection identifies workloads with zero matches; no matches could also mean no sensitive data activity
  • Read-only analytics — does not modify policies, labels, or permissions

Responsible AI

  • Plugin provides read-only security analytics and investigation capabilities
  • No automated remediation, policy changes, or user restrictions
  • Risk scores and health statuses are computed metrics requiring analyst interpretation
  • Compliant with Microsoft Responsible AI Publishing Requirements

arunt14 added 2 commits April 3, 2026 15:20
@arunt14
Add Enhanced DLP Analytics plugin with cross-workload correlation
d804598 
Add a new KQL-based plugin with 7 advanced DLP analytics skills:

- DLPCrossWorkloadCorrelation: Correlate user DLP violations across
  Exchange, Teams, SharePoint, OneDrive, and Endpoints in one view
- DLPFalsePositiveAnalysis: Identify likely false positives via
  override rate analysis and policy effectiveness metrics
- DLPPolicyCoverageGaps: Detect workloads with missing DLP coverage
- DLPHighRiskUsersAcrossWorkloads: Flag users with multi-workload
  violations and compute risk scores
- DLPAlertTrendAnalysis: Time-series trend analysis for alert spikes
- DLPLabelDowngradeRemoval: Track sensitivity label downgrades and
  removals that may indicate DLP bypass attempts
- DLPPolicyHealthCheck: Comprehensive policy health dashboard with
  match rates, override rates, and effectiveness status

Also updates Microsoft Purview sample prompts with new categories:
- Cross-Workload DLP Correlation
- DLP False Positive Analysis
- DLP Policy Health and Coverage
- Sensitivity Label Compliance
@arunt14
Add comprehensive README for Enhanced DLP Analytics plugin
c8579f5 
Add dedicated README with Responsible AI compliance:
- Intended audience, uses, and supported Microsoft products
- Limitations and scope documentation
- Prerequisites with Microsoft Learn links
- Step-by-step plugin upload instructions
- Full skills table with parameters
- Sample prompts for each skill
- Comparison table showing complementary coverage with existing plugin
- Update Purview directory readme to reference the new plugin
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@arunt14