How to Report DLP Alerts

Posted on by Tony Redmond

Use the Graph API to Report Information about DLP Alerts

MC1169572 (10 October 2025, Microsoft 365 roadmap item 511795) announced a new ability for administrators to add classifications to DLP alerts. The update should now be available in all tenants.

DLP signals alerts when policy rules detect a violation. The update allows administrators to note if the alert is a false positive, true positive, or benign positive (one that you don’t need to worry about) when reviewing the status of alerts (Figure 1). Although I could update the classifier for DLP alerts, any attempt to update the comments for an alert through the UX failed.

Adding a classifier to a DLP alert.
Figure 1: Adding a classifier to a DLP alert

Alerts generated for DLP events are synchronized bi-directionally with Defender.

Tenant don’t have to classify events, but MC1169572 says that tenants can “use the classification property to enhance reporting and incident response.” Which then creates the question of how to report DLP alerts.

The Graph Alert Resource Type

The answer is that alert data is available through the alert resource type from the Graph Security API. For example, this Graph request against the alerts_v2 endpoint filters on the serviceSource property to find the set of DLP alerts. We can see the classification entered for the alert.

$Uri = "https://graph.microsoft.com/v1.0/security/alerts_v2?`$filter=serviceSource eq 'DataLossPrevention'&`$orderby=createdDateTime desc&`$top=200"
[array]$Alerts = Invoke-MgGraphRequest -Method GET -Uri $Uri -OutputType PSObject
$Alerts = $Alerts.Value

$Alerts | Format-Table ServiceSource, CreatedDateTime, Title, Classification

serviceSource      createdDateTime     title                               classification
-------------      ---------------     -----                               --------------
dataLossPrevention 11/12/2025 14:41:47 DLP-Block Confidential Documents    truePositive
dataLossPrevention 20/11/2025 01:33:40 DLP-DLP Policy for Sensitive Data 1
dataLossPrevention 20/11/2025 01:27:41 DLP-DLP Policy for Sensitive Data 1
dataLossPrevention 20/11/2025 01:26:09 DLP-DLP Policy for Sensitive Data 1

The Alerts resource caters for alerts generated by many other solutions, including Defender for Identity, Defender for Cloud Apps, Defender for Office 365, App governance, threat intelligence, and so on.

Working with DLP Alerts via the Microsoft Graph PowerShell SDK

Graph API requests can also be made through Microsoft Graph PowerShell SDK cmdlets. In this case, the Get-MgSecurityAlertV2 cmdlet (from the Microsoft.Graph.Security module) does the same job as the request discussed above.

Before attempting to work with security alerts, make sure that the signed in account is a security administrator and that the delegated SecurityAlert.Read.All permission (scope) is available:

[array]$DLPAlerts = Get-MgSecurityAlertV2 -Filter "serviceSource eq 'dataLossPrevention'" -PageSize 500 -All -Sort "CreatedDateTime Desc"

$DLPAlerts | Format-Table ServiceSource, CreatedDateTime, Title, Classification

ServiceSource      CreatedDateTime     Title                               Classification
-------------      ---------------     -----                               --------------
dataLossPrevention 11/12/2025 14:41:47 DLP-Block Confidential Documents    truePositive
dataLossPrevention 20/11/2025 01:33:40 DLP-DLP Policy for Sensitive Data 1
dataLossPrevention 20/11/2025 01:27:41 DLP-DLP Policy for Sensitive Data 1
dataLossPrevention 20/11/2025 01:26:09 DLP-DLP Policy for Sensitive Data 1

Note: after updating an alert with a classification, it takes a few seconds before the update appears in the alert record available through the Graph.

Updating a DLP Alert with PowerShell

It’s also possible to set a classification for an alert with the Update-MgSecurityAlertV2 cmdlet. In this example, a hash table holds several properties as input to update an alert, including the classification.

$AlertId = $DLPAlerts[1].Id
$Parameters = @{}
$Parameters.Add("determination", "other")
$Parameters.Add("status", "inProgress")
$Parameters.Add("assignedTo", "Hans.Geering@office365itpros.com")
$Parameters.Add("classification", "truePositive")
Update-MgSecurityAlertV2 -AlertId $AlertId -BodyParameter $Parameters

Reporting DLP Alerts

Once we know how to retrieve DLP alerts, it’s easy to create a basic report. Figure 2 shows the result:

$Report = [System.Collections.Generic.List[Object]]::new()
ForEach ($Alert in $DLPAlerts) {   
    If ($Alert.LastUpdateDateTime) { $LastUpdated = Get-Date $Alert.LastUpdateDateTime -Format 'dd-MMM-yyyy HH:mm' 
    } Else { 
        $LastUpdated = "N/A" 
    }
    $ReportLine = [PSCustomObject][Ordered]@{
        Id                  = $Alert.id
        Title               = $Alert.title
        CreatedDateTime     = Get-Date $Alert.createdDateTime -Format 'dd-MMM-yyyy HH:mm'
        Severity            = $Alert.severity
        Status              = $Alert.status
        Category            = $Alert.category
        AssignedTo          = $Alert.AssignedTo
        LastUpdateDateTime  = $LastUpdated
        Classification      = $Alert.classification
    } 
    $Report.Add($ReportLine)
}
Reporting DLP Alerts.
Figure 2: Reporting DLP Alerts

I hate seeing something in a message center notification that I can’t quite figure out how to do. I’ve never really thought about working with DLP alerts through PowerShell in the past, but I’m glad that the addition of administrator-controlled classifications to DLP alerts prompted me to check out how to report this information.

Need help to write and manage PowerShell scripts for Microsoft 365, including Azure Automation runbooks? Get a copy of the Automating Microsoft 365 with PowerShell eBook, available standalone or as part of the Office 365 for IT Pros eBook bundle.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.