DLP Incidents Report

Data Loss Prevention incidents across your Microsoft 365 environment. Track policy matches, sensitive data exposure events, and user override patterns.

Overview

The DLP Incidents Report shows all Data Loss Prevention policy matches and actions across Exchange Online, SharePoint, OneDrive, and Microsoft Teams. Use this report to monitor sensitive data handling, investigate potential data leaks, and refine DLP policies.

Report Columns

Incident Categories

• Blocked — Content was prevented from being shared or sent
• Notified — User was warned but content was allowed
• User Override — User acknowledged the warning and proceeded
• Audit Only — Match was logged but no action was taken

Sensitive Information Types

Common sensitive data types detected:

• Credit card numbers
• Social Security numbers (SSN)
• Personal health information (PHI)
• Financial account numbers
• Passport numbers
• Custom sensitive information types

Trend Analysis

• Incident volume over time — Track whether incidents are increasing or decreasing
• Top triggered policies — Which policies match most frequently
• Top users — Users generating the most DLP matches
• Override rate — How often users override DLP warnings
• False positive rate — How often matches are legitimate vs. false

Filters

• Date Range — Last 7, 30, 90 days or custom
• Policy — Filter by specific DLP policy
• Severity — High, Medium, Low
• Action — Block, Notify, Override, Audit
• Location — Exchange, SharePoint, OneDrive, Teams
• Tenant — Filter by managed tenant

API Reference

• GET /api/reports/security/dlp-incidents — Get DLP incidents report
• GET /api/reports/security/dlp-incidents/summary — Get incident summary
• POST /api/reports/security/dlp-incidents/export — Export report data