Query Details
MS Teams DLP Playbook
Query
// MS Teams DLP Playbook // https://www.linkedin.com/posts/activity-7196076361977847808-JGST/ // The document (Teams DLP Playbook 2024.pdf) in the blog provides an overview of how enterprise customers can deploy Microsoft Teams-DLP for protecting sensitive information. // Using Defender Custom Detection, the below KQL allow you to detect real-time DLP rules triggered: CloudAppEvents | where Application == "Microsoft Teams" | where ActionType contains "DlpRuleMatch"
Explanation
This KQL query is designed to detect when Data Loss Prevention (DLP) rules are triggered in Microsoft Teams. Here's a simple summary:
- Source: The query looks at events from cloud applications.
- Filter by Application: It specifically filters events related to Microsoft Teams.
- Filter by Action: It further narrows down to actions that involve DLP rule matches.
In essence, this query helps you monitor and identify instances where DLP rules are activated in Microsoft Teams, indicating potential sensitive information handling.
Details
Steven Lim
Released: August 2, 2024
Tables
CloudAppEvents
Keywords
CloudAppEventsMicrosoftTeamsDlpRuleMatch
Operators
==contains|