Purview DLP Teams Alert Info
Query
let alert_id = "<<<>>>";
let query_period = 1d;
let internet_message_ids = toscalar(
AlertEvidence
| where Timestamp > ago(query_period)
| where AlertId == strcat("dl", alert_id) and EntityType == "MailMessage"
| extend AdditionalFields = todynamic(AdditionalFields)
| summarize make_set(AdditionalFields["InternetMessageId"])// Unix Time
);
CloudAppEvents
| where Timestamp > ago(query_period)
| where ActionType in ("AlertTriggered", "AlertUpdated") and tostring(RawEventData["AlertId"]) == alert_id
| summarize arg_max(Timestamp, *)
| extend
AlertId = tostring(RawEventData["AlertId"]),
Data = todynamic(tostring(RawEventData["Data"]))
| extend
UserPrincipalName = tolower(tostring(Data["f3u"])),
Severity = tostring(Data["sev"]),
Workload = tostring(Data["wl"]),
SensitiveInformationContentType = split(tostring(Data["sict"]), ";"),
SensitiveInformationTypeMatchInfo = split(tostring(Data["sitmi"]), ";"),
PolicyId = tostring(Data["dpid"]),
PolicyName = tostring(Data["dpn"]),
RuleId = tostring(Data["drid"]),
RuleName = tostring(Data["drn"]),
ProtectionActions = split(tostring(Data["dact"]), ", "),
SenderFromAddress = tostring(Data["mfrm"]),
RecipientEmailAddress = split(tostring(Data["to"]), ",")
| where Workload == "MicrosoftTeams" and tostring(RawEventData["Category"]) == "DataLossPrevention"
| project
Timestamp,
Application,
ActionType,
AlertId,
UserPrincipalName,
Severity,
Workload,
SensitiveInformationContentType,
SensitiveInformationTypeMatchInfo,
PolicyId,
PolicyName,
RuleId,
RuleName,
ProtectionActions,
SenderFromAddress,
RecipientEmailAddress,
AlertTriggered_RawEventData = RawEventData,
AlertTriggered_ReportId = ReportId,
InternetMessageIds = internet_message_ids// Unix TimeExplanation
This KQL query is designed to analyze and extract specific information related to alerts, particularly focusing on data loss prevention (DLP) events in Microsoft Teams. Here's a simplified breakdown of what the query does:
-
Define Variables:
alert_id: A placeholder for a specific alert identifier.query_period: Sets the time frame for the query to the last day (1 day).
-
Extract Internet Message IDs:
- The query first looks into the
AlertEvidencetable to find all Internet Message IDs associated with a specific alert (alert_id) and entity type "MailMessage" within the last day. These IDs are collected into a set.
- The query first looks into the
-
Filter Cloud App Events:
- The query then examines the
CloudAppEventstable for events that occurred in the last day. - It filters for events where the action type is either "AlertTriggered" or "AlertUpdated" and matches the specified
alert_id.
- The query then examines the
-
Extract and Transform Data:
- For the filtered events, it extracts and transforms various fields from the raw event data, such as user information, severity, workload, policy details, and email addresses.
- It specifically focuses on events related to Microsoft Teams and categorized as "DataLossPrevention."
-
Project Relevant Information:
- Finally, the query selects and presents a set of relevant fields, including timestamps, user details, policy and rule information, and email addresses.
- It also includes the previously extracted Internet Message IDs.
In summary, this query is used to gather detailed information about DLP-related alerts in Microsoft Teams, focusing on specific alert IDs and extracting relevant data for further analysis.
Details

Jose Sebastián Canós
Released: May 7, 2025
Tables
AlertEvidenceCloudAppEvents
Keywords
AlertEvidenceMailMessageCloudAppEventsActionTypeRawEventDataUserPrincipalNameSeverityWorkloadSensitiveInformationContentMatchInfoPolicyIdRuleProtectionActionsSenderFromAddressRecipientEmailLossPreventionApplicationTriggeredReportInternetIds
Operators
lettoscalarwhereagostrcatextendtodynamicsummarizemake_setintostringarg_maxtolowersplitproject