Get started with the Microsoft Purview Triage Agent in Data Loss Prevention

Use these procedures to roll out the Microsoft Purview Triage Agent in Data Loss Prevention (DLP) (preview).

The Purview Triage Agent in DLP agent only triages alerts from policies that are scoped to Exchange, Teams, OneDrive, SharePoint and Devices (Endpoint) locations.

Before you begin

If you're new to Microsoft Security Copilot Agent in Microsoft Purview, read this article.

• Security Copilot Agents in Microsoft Purview Overview (preview)

SKU/subscriptions and licensing

This agent requires both the standard per seat licensing model and the pay-as-you-go billing model. Your organization must be licensed for:

• Microsoft Purview Data Loss Prevention (Purview DLP) to use the Purview DLP triage agent.

The agent consumes security compute units (SCUs) as it perform its tasks. You must have SCUs provisioned for the triage agent to work. The number of SCUs consumed depends on the number and type of alerts that are processed. For more information about SCUs, see Security compute units (SCUs). You can track your SCU consumption in the usage monitoring tool. For more information about onboarding into Microsoft Security Copilot, see Get started with Microsoft Security Copilot.

For information on licensing, see

• Microsoft 365 Enterprise Plans
• Microsoft 365 Service Descriptions

Permissions and Roles

There are different permissions and roles needed to perform different functions with the agent. For more information, see Permissions in the Microsoft Purview portal, and Roles and role groups in the Microsoft Purview portals.

Permissions for enabling the Purview DLP agent

The account you use to enable and manage the Purview DLP agent must have all of these roles:

• Information Protection Analyst OR Information Protection Investigator (Role group: Compliance Administrator OR Compliance Data Administrator OR Data Security Management OR Information Protection OR Information Protection Analysts OR Information Protection Investigators)

• Purview Content Analyst (Role group: Purview Agent Management)

• Data Classification Content Download (Role group: Data Security Management OR Information Protection OR Information Protection Investigators) - needed for endpoint/devices DLP alerts

• Security Copilot Contributor (Managed in Security Copilot)

Permissions for customizing and configuring the Purview DLP agent

The account you use to customize and configure the Purview DLP agent must have all of these roles:

• Purview Agent analysis (Role group: Information Protection Analysts OR Information Protection Investigators OR Information Protection OR Compliance Administrator OR Data Security Management)

• Data Classification Content Download (Role group: Data Security Management OR Information Protection OR Information Protection Investigators) - needed for endpoint/devices DLP alerts

• Security Copilot Contributor (Managed in Security Copilot)

Permissions for viewing triaged Purview DLP alerts

The account that you use to view the Purview DLP triage agent alert activity must be able to access Purview DLP alerts, which is granted below roles:

• Purview Agent analysis (Role group: Information Protection Analysts OR Information Protection Investigators OR Information Protection OR Compliance Administrator OR Data Security Management)

• Data Classification Content Download (Role group: Data Security Management OR Information Protection OR Information Protection Investigators) - needed for endpoint/devices DLP alerts

• Optional - Security Copilot Contributor (Managed in Security Copilot)

Deployment and configuration roadmap

Implementing the Microsoft Purview agents involves several phases:

1. Infrastructure prerequisites
2. Enabling agents
3. Setup agents
4. Pausing agents
5. Removing agents

Infrastructure prerequisites

Microsoft Purview triage agent in DLP runs on Microsoft Security Copilot.

• Your tenant must be onboarded to Microsoft Security Copilot. For more information on how to onboard, see Get started with Microsoft Security Copilot.
• You must enable Microsoft 365 data sharing in Security Copilot. For more information, see Accessing data from Microsoft 365 services .
• You must enable the Microsoft Purview plug-in in Microsoft Security Copilot. For more information, see Enable the Microsoft Purview source in Microsoft Security Copilot.

Enabling the agent

This procedure is for organizations that haven't enabled any of the Microsoft Purview agents or have removed agents and you want to enable them again. Once you enable the agents, they're available for use in Microsoft Purview. There can be only one instance of each agent in a tenant. This procedure works for the Triage Agent in Purview.

1. Sign in to the Microsoft Purview portal with an account that has the required permissions.
2. In the left hand navigation pane, select Agents.
3. Select Explore agents.
4. Select the agent that you want to enable and select Add. This opens a page that shows the requirements to enable the agent.
5. Select Setup, this opens the Deploy agent global configuration page. You can:
   1. Choose to Run automatically based on a set schedule. If you don't choose this option, you must run the agent manually one at a time. The scheduled is set by Microsoft and isn't configurable by organizations. You can change this setting later when you edit the agent.
   2. Select the alert timeframe, which is how far back the agent looks for alerts to triage. Analysts can shorten the timeframe when they edit the agent but not lengthen it. For more information, see Select Alert timeframe.
6. Select Deploy. You see the Alert Triage Agent in <solution> is deployed message when the agent is successfully deployed.

Setup agents

Once an agent is enabled, you need to set specific triggers for the agent. The triggers are used to determine which alerts the agent triages. You can do this either in the Agents page or, for first run experience on the Alerts page for the solution. For this procedure, use the first run experience Alerts page method. This procedure assumes that you still have the Microsoft Purview portal open to the Explore agents page from the previous procedure.

1. Select Open in <solution>. This opens the Alerts page for the solution.
2. Because you are in the first run experience, you see dialog box that with a Customize button that, when selected, opens the Customize Alert Triage Agent flyout.
3. Here, choose either to accept the default global setting for Select alert timeframe or change it to be shorter than what was configured during agent deployment.
4. Enter custom instructions for the agent. The agent interprets your natural language input and uses it to better identify which types of alerts matter most to you.
5. Open Specify Policy Scope and select Edit. Choose the policies that you want the agent to triage. If you don't select a policy, the agent will triage the alerts from all of the active policies.

1. Select Review.
2. Select Start agent.

Allow up to 2 hours for the agent to complete triaging the in scope alerts and enabled manual runs from this initial setup. These settings can also be visited by going through the Explore Agent section and clicking on Triggers for the agent.

Specify Policy Scope inclusion considerations

A DLP policy must meet certain criteria for it to appear in the Specify Policy Scope list and be eligible to be included triage.

Full eligibility

A policy is fully eligible for inclusion if the DLP Alert Triage Agent supports all the conditions in the policy. All alerts from a fully eligible policy will be triaged.

Limited eligibility

If a policy has some conditions that aren't supported by the Triage Agent in DLP, a state called limited eligibility, the agent may not be able to triage all the alerts from that policy. Limited eligibility means that there can be some alerts from the policy that won't be triaged based on the criteria listed and there may be some alerts that will be triaged. The reason for policy showing as limited can be seen by selecting Limited state in the Specify Policy Scope picker.

Here are some reasons why a policy may be in a limited eligibility state:

• Get started with collecting files that match data loss prevention policies from devices is not enabled or the storage associated with it is not Microsoft storage. Also the File collection setting in policy rule is turned OFF for policies targeting endpoint or devices workload.
• Policies must have a rule with Content contains condition.
• Policies must target one of these workloads apart from SharePoint, OneDrive, Exchange, Teams, and Devices (endpoint).

The same eligibility status is shown on DLP policy list page. The eligibility column appears when the DLP Triage Agent is enabled and setup. Once the policies are included in agent scope, only future alerts are checked for scoped policies. Existing alerts that have already been triaged or already generated aren't impacted.

Pausing agents

1. Sign in to the Microsoft Purview portal with an account that has the required permissions.
2. In the left hand navigation pane, select Agents.
3. Select Explore agents.
4. Select View agent for the agent you want to pause. This opens the agent overview page.
5. On the far right upper right hand corner of the agent overview page, select the ellipses (three dots) that are located next to the Edit agent button.
6. Select Deactivate agent. Pausing the agent stops the agent from triaging alerts. It doesn't remove the agent and it doesn't reset the Select alert timeframe reference point in time.

Removing agents

1. Sign in to the Microsoft Purview portal with an account that has the required permissions.
2. In the left hand navigation pane, select Agents.
3. Select Explore agents.
4. Select View agent for the agent you want to pause. This opens the agent overview page.
5. On the far right upper right hand corner of the agent overview page, select the ellipses (three dots) that are located next to the Edit agent button.
6. Select Remove agent. Removing the agent deletes it from Microsoft Purview. If you want to use it again you must go through the Enable the Agents, and Setup agents procedures again. Removing the agent resets Select Alert timeframe reference point in time.

Editing agents

1. Sign in to the Microsoft Purview portal with an account that has the required permissions.
2. In the left hand navigation pane, select Agents.
3. Select Explore agents.
4. Select View agent for agent you want to edit. This opens the agent overview page.
5. Select Edit agent. This opens the Edit agent page.
6. Select Triggers.
7. Here you can change when the agent runs, either Agent will run manually on one alert at a time or Agent will run automatically based on a set schedule.
8. Select Edit to change the Select alert timeframe value and the policies that the agent will triage alerts from.
9. If you select Agent will run manually on one alert at a time, you can select a single alert in the Alerts page for the solution. Set the toggle to Alert Triage Agent Preview and select Run Agent.
10. You can also change the Custom instruction if you want.
11. You can also change the Policy Scope as needed

Monitoring SCU usage

1. Sign in to the Microsoft Purview portal with an account that has the required permissions.
2. In the left hand navigation pane, select Agents.
3. Select Explore agents.
4. Select View agent for agent you want to edit. This opens the agent overview page.
5. Select Edit agent. This opens the Edit agent page.
6. Select Usage monitoring.
7. You can track your SCU consumption in the usage monitoring tool.

Alerts page overview

1. Sign in to the Microsoft Purview portal with an account that has the required permissions.
2. Open the solution you want to view the triaged alerts for.
3. Open the Alerts page for the solution.
4. In the top right hand area of the page, there's a new toggle that lets you choose between the Standard view of the alerts page and a Triage Agent (Preview) view of the alerts page. Set the toggle to the Triage Agent (Preview) view. This view shows the alerts that have been triaged by the agent. The alerts are grouped by the agent into four categories:

• All
• Needs attention
• Less urgent
• Not categorized

Feedback for alerts triaged

You can also add properties, such as a Sensitive info type or a File path that the agent should use in future evaluations to improve performance. These properties are supported in preview.

• User email address: the user who performed the activity that triggered the alert
• External recipient email address: to track alerts triggered by Exchange email or Teams interactions with external recipients
• Sensitive information type: shows all the SITs within the tenant, the SITs involved in the policy rule triggering the alert are preselected
• Trainable classifier: shows all trainable classifiers, the trainable classifers that are involved in the policy rule triggering the alert are preselected
• Sensitivity label: The labels present in the tenant
• File path: in case the alert is related to a file and the file path is available. The file path isn't enabled for Endpoint DLP (device) alerts but Full file evidence wasn't enabled at the time of alert triaging
• Target domain: in case of devices (endpoint) DLP alerts where target domain is present

1. Select any Needs attention, or Less urgent alert. This opens a flyout with the agent provided summary and other settings.
2. Select Agent feedback.
3. The Revise to field shows the value of the recategorization.
4. Select + Add property and add one or more properties. The added properties are used to improve triaging performance.
5. If you want to Apply the feedback to all policies select that option. Otherwise, the feedback will only be applied to the policy that triggered the alert.
6. Select Review to see a summary of the changes.
7. Select Submit to save the feedback.
8. The current alert doesn't change immediately. Admin will have to manually run a triage pass on the alert to change the categorization based on the feedback provided.

Managing feedback

You can view and manage all the feedback given for a triaged alert, including exporting, editing, and deleting feedback.

1. In the solution for the alert, open the Alerts page.
2. Select the Needs attention or Less urgent category.
3. Select the alert that you want to manage the feedback for.
4. Select Agent feedback.
5. Select View all feedback.
6. Select the alert and feedback entry that you want to manage.
7. Edit, Delete, or Export the feedback as needed.

Feedback conflict resolution

Feedback conflict can occur when multiple admins provide conflicting feedback for the same user and policy combination on different alerts. Feedback conflict generates an error.

For example:

• Admin 1 provides feedback to change all alert's categorization to Less urgent if the alert is for User A and Policy P.
• Admin 2 provides feedback to change an alert's categorization to Needs attention if the alert is for User A and Policy P.

To resolve a feedback conflict, see Feedback conflict resolution.

Other considerations

• For the alert count, only the alerts where single instance of match is enabled are counted. In case an alert is generated for a threshold scenario (for example, generate alert if there are 10 matches in last 24 hours), such alerts aren't counted

Next steps

Refer to solution specific articles for information on reviewing the triaged alerts.

• Learn about investigating data loss prevention alerts

• Get started with the data loss prevention Alerts dashboard

• Alert Triage Agent dashboard (preview)

• Indicators and the Alert Triage Agent for Insider Risk Management