Real World Solutions – The Case of DLP Event Tracking

the case if

In one of my projects, the customer is planning on using Office 365 DLP.  However, they have a third party company who manages the front-line investigation for violations.  The customer needs a way to allow a non-employee enough access to do their initial discovery and track it.

The first attempt was to use the out-of-box alerts in the Security & Compliance center.


There were a few challenges with this feature – the main one being no appearant way to restrict access to the DLP event only.  The other was no way to input comments or use this as a tracking system.

It got me thinking (or as we say in consulting doing ideation) on how to solve this. One good solution for tracking things is SharePoint.  So, we need a way to get the alert information (either in email, or through the event API) to SharePoint.  Not wanting to create a whole application to make this work – there must be a way for a power-user to wire up applications.  And of course, there is – Microsoft Flow.  Microsoft Flow is a cloud-based service that makes it practical and simple for line-of-business users to build workflows that automate time-consuming business tasks and processes across applications and services. It’s comparible to a service like IFTTT (If This Then That), but tightly integrated with Office 365.

With Flow being the glue – the overall solution is:

  1. Configure the DLP policy to send notifications to a mailbox
  2. Create a custom SharePoint list to track DLP events
  3. Configure Flow to populate the list with the DLP event information from email

Now I’ll walk through each step to understand the configuration.

Configuring the DLP Policy

The first step is to configure your DLP rule to send a notification email to a mailbox. In this example, in the Security & Compliance Center, I edited an existing DLP policy.

DLP notification

Note you can control the information that is included if you do not want some content to be in the alert.

Configure SharePoint

Next, we’ll configure the SharePoint list.  Again, I’m assuming you have basic knowledge of creating a SharePoint teamsite.  For our example, I only added a ‘status’ field – which is a choice of open, investigating, resolved, and closed.  I could see adding fields for comments, or more date fields for tracking time to resolution.  The point here is we’ll be able to pre-populate some of the field using flow. Additonally, you can setup the security and permissions for your analysts.

sharepoint list settings

Configure Flow

On the newly created list, click the ‘Flow’ button to create a new flow. I find it easiest to choose ‘See your flows’.  From the Manage your flows page, you can ‘create from blank’.

flow button

From there click on ‘search hundreds of connectors and triggers’.

I’ll break down the flow in to its parts.

  1. When new mail arrives (Outlook).  Ensure you change the Has Attachments and Include Attachments to ‘Yes’.

when new email arrives

2. Export email.  You would think we would be able to use the attachments flow functionality out of the box.  However, the item that is attached to the system generated notification is an embedded message (NOT an eml).  The attachment connector does not currently know how to parse this – so the workaround is to use the preview Export email feature.

export email

3. Create Item (SharePoint).  This step creates the list item in the custom list we defined.  It will recognize any custom properties you created – in this case ‘Status Value’.  I set the new list item to ‘Open’ by default.  You can also see in the Title property – we can combine functions with text as well.  For example, the utcNow() function could be used to set a date property…or you could set an SLA and calculate the estimated time for closure.

create item

4. Add Attachment (SharePoint)

The final step is adding the email attachment to the list item’s attachment.  The key is the File Content field – make sure you choose the Body from the Export flow.

add attachment

We need to include the Body coming from the Export Email, not the body coming from the new email trigger.

export body

Thats it, the next time the notification mailbox recieves an email, the Flow will tigger.

The Results

You can see in the screenshot someone sent an email with a DLP violation.  This results in a new item in my SharePoint list, with the status set to open, and the original attachment is included on the list item.


I’m excited that we’re able to solve this for the customer – this is a really elegant, and relatively easy solution that didn’t require custom code.