42
Resources
6
Categories
28
Microsoft Learn
7
Schema / API refs
4
Preview resources
3
Practitioner blogs
Tag key:
Official Microsoft Learn / product docs
Learn Guided learning path or module
KB Support article or known issue
Schema Table schema / KQL reference
API REST or Graph API reference
Blog Microsoft Tech Community or MVP post
Preview Feature in public or private preview
Usage note: All links open Microsoft Learn, Microsoft Tech Community, or Microsoft security documentation. Resources marked Preview describe features that may have limited tenant availability, schema changes, or behaviour differences from GA documentation. Validate preview resources against current tenant state before acting on them.
DLP & Alerts — 8 resources
| Tool / Product | Resource Name | Description | Type | Link |
|---|---|---|---|---|
| Microsoft Purview DLP | Get started with DLP — overview | Policy creation, workloads, policy tips, alert lifecycle, and enforcement mode guidance. Start here for any DLP implementation. | Official | learn.microsoft.com → |
| Microsoft Purview DLP | DLP policy reference | Full reference for policy conditions, actions, exceptions, and workload-specific behaviour. Required reading for policy authoring. | Official | learn.microsoft.com → |
| Defender XDR | Investigate DLP alerts in Microsoft Defender XDR | Authoritative guidance confirming Defender XDR as the primary alert investigation surface. DLP alerts correlated with other security events, enriched with evidence, and grouped into incidents. | Official | learn.microsoft.com → |
| Microsoft Purview DLP | DLP alert management dashboard | Alert queue, severity filtering, status management, and bulk operations in the Purview compliance portal. Secondary surface for alert review (primary is Defender XDR). | Official | learn.microsoft.com → |
| Microsoft Purview DLP | Microsoft 365 Copilot DLP policies | How DLP policy location "Microsoft 365 Copilot (preview)" applies to Copilot prompts and responses. Scope and enforcement model. Validate availability in tenant before relying on this control. | Official Preview | learn.microsoft.com → |
| Microsoft Purview DLP | DLP on-premises scanner | Information Protection on-premises scanner for file shares and SharePoint Server. Scans at-rest files, applies sensitivity labels and protection. Distinct from SHIR (Data Map) and from Purview DLP endpoint controls. | Official | learn.microsoft.com → |
| Microsoft Purview DLP | Export DLP policy alerts to SIEM | Streaming DLP alert data via Office 365 Management API or Defender XDR streaming API for SIEM ingestion (Sentinel, Splunk). Covers connector options and schema fields. | Official | learn.microsoft.com → |
| Microsoft Purview DLP | DLP — known issues and limitations | Documented product limitations, known false-positive patterns, and feature gaps by workload. Review before audit baseline commitments. | KB | learn.microsoft.com → |
Reporting & SIEM — 9 resources
| Tool / Product | Resource Name | Description | Type | Link |
|---|---|---|---|---|
| Microsoft Sentinel | Microsoft Sentinel overview | Cloud-native SIEM and SOAR platform. Ingestion, analytics rules, incidents, workbooks, and automation playbooks. Starting point for Sentinel architecture. | Official | learn.microsoft.com → |
| Microsoft Sentinel | Connect Microsoft Defender XDR to Sentinel | Native connector configuration, incident sync, bi-directional status updates, and alert schema mapping. Covers DLP alert flow from Defender XDR into Sentinel workspace. | Official | learn.microsoft.com → |
| Microsoft Sentinel | Sentinel cost management and data ingestion | Commitment tiers, pay-as-you-go pricing, free data sources, ingestion cost estimation, and cost-reduction patterns. Essential before Sentinel workspace sizing decisions. | Official | learn.microsoft.com → |
| Microsoft Sentinel | DataSecurityEvents schema reference | Advanced Hunting table schema for Purview DLP events in Defender XDR / Sentinel. Fields, data types, retention, and known limitations. Validate against tenant state — preview behaviour varies. | Schema Preview | learn.microsoft.com → |
| Defender XDR | Advanced Hunting overview | KQL-based threat hunting across Defender XDR telemetry. 30-day retention window. Tables, schema browser, and query limits. Primary enrichment surface for DLP event investigation. | Official | learn.microsoft.com → |
| Log Analytics / KQL | KQL quick reference | Core KQL operators, functions, and patterns for Log Analytics and Sentinel. Covers summarize, join, project, extend, and time-series functions used in DLP dashboards. | Official | learn.microsoft.com → |
| Power BI | Connect Power BI to Log Analytics | Direct query and import mode from Log Analytics / Sentinel workspaces into Power BI. Covers query building, refresh scheduling, and row-level security for security dashboards. | Official | learn.microsoft.com → |
| Splunk | Splunk Add-on for Microsoft Security | Official Splunk add-on for ingesting Microsoft Defender XDR, Sentinel, and M365 security events. Field extractions, index-time transforms, and recommended source types. | Official | splunkbase.splunk.com → |
| Purview Audit | Search the unified audit log | UAL query interface, retention limits by license, exportable record types, and known gaps. Key reference for understanding what UAL can and cannot prove in a compliance audit. | Official | learn.microsoft.com → |
Labeling & Classification — 7 resources
| Tool / Product | Resource Name | Description | Type | Link |
|---|---|---|---|---|
| Microsoft Purview MIP | Learn about sensitivity labels | Label taxonomy, scopes, encryption settings, content marking, auto-labeling, and co-authoring. Foundational reference for label schema design. | Official | learn.microsoft.com → |
| Microsoft Purview MIP | Auto-labeling policies for sensitivity labels | Simulation mode, auto-labeling conditions, trainable classifiers, SITs, and deployment sequence. Covers Exchange, SharePoint, OneDrive, and Teams workloads. | Official | learn.microsoft.com → |
| Microsoft Purview MIP | Sensitivity label encryption — configuration options | Rights Management encryption settings, user and group permissions, offline access, expiry, and double-key encryption. Covers the encryption model that makes labels more than metadata-only. | Official | learn.microsoft.com → |
| Microsoft Purview | Trainable classifiers — learn about | Pre-trained and custom trainable classifiers. How to seed, train, test, and publish. When to use classifiers vs SITs vs exact data match. Key for financial services classification scenarios. | Official | learn.microsoft.com → |
| Microsoft Purview | Sensitive information types entity definitions | Full catalogue of built-in SITs with confidence levels, pattern definitions, character proximity, and primary/supporting elements. Use to understand false-positive risk per SIT. | Schema | learn.microsoft.com → |
| Microsoft Purview MIP | Label analytics and activity explorer | Label activity data in Purview Activity Explorer — labeling events, label changes, and user actions. Covers retention and filtering. Use for KPI measurement and labeling trend reporting. | Official | learn.microsoft.com → |
| Microsoft Purview MIP | Known issues — sensitivity labels | Documented compatibility issues, co-authoring limitations, encryption edge cases, and workload-specific labeling gaps. Review before label enforcement commitments. | KB | learn.microsoft.com → |
Copilot & DSPM — 7 resources
| Tool / Product | Resource Name | Description | Type | Link |
|---|---|---|---|---|
| Microsoft Purview DSPM | Data Security Posture Management overview | DSPM for AI: risk visibility, recommendations, activity explorer, and data posture insights for Microsoft 365 Copilot. Starting reference for DSPM control design. | Official | learn.microsoft.com → |
| Microsoft 365 Copilot | Data protection and privacy in Copilot | How Copilot respects existing permissions, does not bypass labels, and how overshared or overly-permissive content creates discovery risk. Correct model for Copilot security documentation. | Official | learn.microsoft.com → |
| Microsoft 365 Copilot | Copilot interactions and Microsoft Purview | How Copilot interaction data is available for audit, compliance, and DLP policy enforcement. Covers audit log records, retention policies, and compliance boundaries for Copilot prompts and responses. | Official | learn.microsoft.com → |
| Microsoft Purview DSPM | Oversharing assessment in DSPM for AI | DSPM recommendations for identifying overshared content, sites with broad access, and sensitivity label coverage gaps. Actionable remediation guidance for permissions hygiene before Copilot rollout. | Official | learn.microsoft.com → |
| Microsoft Purview | Protect and govern data for AI apps | Layered control guidance: sensitivity labels, DLP for Copilot, DSPM for AI, permissions hygiene. Describes the correct defence-in-depth model for M365 Copilot deployments. | Official | learn.microsoft.com → |
| Microsoft Purview DSPM | DSPM for AI — activity explorer | Copilot interaction events in Activity Explorer. Query and filter AI activity, sensitive content interactions, and policy tip events. Use for KPI measurement and trend analysis. | Official Preview | learn.microsoft.com → |
| Microsoft Tech Community | Copilot for Microsoft 365 — permissions and data access explained | Practitioner post clarifying the permission-respect model and the oversharing risk pattern. Useful for stakeholder briefings and correcting common misconceptions about Copilot data access. | Blog | techcommunity.microsoft.com → |
Data Governance & Lifecycle — 5 resources
| Tool / Product | Resource Name | Description | Type | Link |
|---|---|---|---|---|
| Microsoft Purview Data Map | Data Map — concepts and architecture | Unified data map for hybrid and multi-cloud data estate. Scan, classify, and catalog. Covers sources, managed attributes, glossary, and lineage. Foundation for data estate visibility. | Official | learn.microsoft.com → |
| Microsoft Purview | Microsoft Purview Data Lifecycle Management | Retention policies, retention labels, disposition reviews, and records management. Covers M365, SharePoint, Exchange, and Teams. Required for data lifecycle KPI design. | Official | learn.microsoft.com → |
| Microsoft Purview | Records management overview | File plan, regulatory records, event-based retention, and disposition workflow. Covers the distinction between retention policies and records declarations relevant to financial services compliance. | Official | learn.microsoft.com → |
| Microsoft Purview | Content explorer — data classification | Browse and filter classified content across M365. Shows sensitive information type hits, label coverage, and location breakdown. Primary tool for data estate visibility and coverage measurement. | Official | learn.microsoft.com → |
| Microsoft Purview | Data catalog — governance overview | Unified governance portal for data estate discovery, access policy management, and business glossary. Covers the unified Purview portal that consolidates compliance and data governance. | Official | learn.microsoft.com → |
On-Premises & Scanning — 6 resources
Three distinct components: (1) Self-Hosted Integration Runtime (SHIR) — connects on-premises data sources to the Purview Data Map for scanning, cataloguing, and classification metadata. (2) Microsoft Purview Information Protection on-premises scanner — scans file shares and SharePoint Server for at-rest sensitive content, applies sensitivity labels, encrypts, and enforces protection actions. (3) Purview DLP on-premises — monitors and enforces DLP policies on at-rest repositories via the on-premises scanner infrastructure. These are not interchangeable.
| Tool / Product | Resource Name | Description | Type | Link |
|---|---|---|---|---|
| Purview Data Map — SHIR | Self-hosted integration runtime — overview | SHIR installation, registration, network requirements, and supported sources. Used exclusively for Purview Data Map scanning — not for DLP enforcement or sensitivity label application. | Official | learn.microsoft.com → |
| Purview IP On-Prem Scanner | Information Protection on-premises scanner — deploy | Install, configure, and run the Information Protection scanner on Windows Server. Covers service account, profile, discovery scan, and enforcement (protect) scan sequence. | Official | learn.microsoft.com → |
| Purview DLP On-Premises | DLP on-premises scanner — get started | Get started with Purview DLP policy enforcement on on-premises file repositories. Prerequisites, configuration, supported actions (alert, quarantine, restrict), and audit output. | Official | learn.microsoft.com → |
| Purview IP On-Prem Scanner | Information Protection scanner — supported file types | Supported file type list, inspection depth per type, and known limitations. Use to identify coverage gaps for file-share scanning and to communicate scanner scope in audit documentation. | Schema | learn.microsoft.com → |
| Microsoft Purview Data Map | Supported sources — on-premises and IaaS | Full list of on-premises source types scannable by Purview Data Map via SHIR: SQL Server, file shares, SAP, Oracle, and others. Scope reference for data estate discovery planning. | Official | learn.microsoft.com → |
| Purview IP On-Prem Scanner | Information Protection scanner — network requirements | Required endpoints, ports, proxy configuration, and certificate requirements for the on-premises scanner. Use during infrastructure readiness review and network design sign-off. | Official | learn.microsoft.com → |
Keeping this library current: Microsoft Learn documentation URLs are subject to change during platform consolidation. If a link returns 404, search the resource name on learn.microsoft.com/en-us/purview or learn.microsoft.com/en-us/defender-xdr. Resources marked Preview are especially subject to documentation restructuring as features reach GA.