Add DLP activities / alerts to MCAS

Occasional Contributor

Hi @ *,


we started to use O365 DLP in the SCC and it's working great. For every "rule detection" we get a detailed report in our team mailbox.


Now, we want to include DLP policy matches in our incident management. We'd like to use ArcSight to connect to MCAS and getting all information about O365 DLP (SIEM). I played around, but I can only find one OCAS activity policy that generates alerts in my SCC dashboard (only that a DLP policy match was found). I don't get any additional information (name of policy, recipient, subject etc.).


More details would be awesome! Examples: If a user reports a false positive; Severity is high; which DLP policy was triggered... etc. => events, that MCAS should report so that I can pick it up with ArcSight (and finally, it creates only incidents that I want based on respective filters).


Is something planned like this and do you have more details? Or, maybe it is already available or something similar?


Thanks & have a nice weekend,


1 Reply

Hi@MartinZoller ,

We are planning to add more information in the future, I dont have an ETA to share but once its available we'll announce it in our release notes.