MC1309741 - Microsoft Purview | Data Loss Prevention - Enrich Defender alerts Graph API with DLP event data
Message Center
Summary
Microsoft Purview DLP event details will be integrated into Microsoft Graph Security APIs alongside Defender alerts, simplifying correlation, reporting, and SIEM integration. Public preview starts late May 2026; general availability begins late June 2026. This affects admins using these APIs for DLP-related alert data.
Published
Service
Tag
Platforms
More information
Introduction
To help security and compliance teams more easily correlate Microsoft Purview Data Loss Prevention (DLP) activity with Microsoft Defender alerts, we’re enriching Microsoft Graph security APIs so DLP event (rule match) details can be retrieved alongside Defender alert data. This simplifies exporting data to SIEM tools, building automated workflows, and generating custom reports without needing to stitch together data from multiple APIs.
This message is associated with Microsoft 365 Roadmap ID 558681.
When this will happen:
- Public Preview: Rollout begins in late May 2026 and is expected to complete early June 2026.
- General Availability (Worldwide): Rollout begins in late June 2026 and is expected to complete early July 2026.
How this affects your organization:
Who is affected:
- Admins, security engineers, and developers who use Microsoft Graph Security APIs to retrieve Defender alerts and/or Purview DLP event data for reporting, investigations, SIEM integration, or automation.
- This applies only to DLP-related Defender alerts (the DLP events query will not return results for non-DLP alerts).
What will happen:
Before this update:
Alert data is available through Microsoft Graph Security APIs, while DLP rule match event details are available through the Management API. Customers who need to correlate alerts with underlying DLP activity must retrieve data from multiple APIs and manually join the results.
With this update:
- Microsoft Graph will include DLP event data associated with Defender alerts.
- This enables simplified correlation and integration without relying on multiple APIs.
- There is no impact to user experience.
The following table shows the combined data available through this enhancement:
| Common Alert Data (Already present in Graph API) | Common Event Data (Present in all events) |
|---|---|
| Alert ID | Event ID |
| Incident ID | User ID |
| Status | Workload |
| Severity | Event time |
| Classification | Operation |
| Assigned to | Policy details (ID, name, rule, action) |
| Creation time | Sensitive info types (ID, counts, confidence, values) |
| Last update time | Trainable classifier |
| Resolve date time | User override |
| First activity time / Last activity time |
Admin experience (high level flow):
Step 1: Fetch Defender alerts using the alerts_v2 Graph API. Learn more: List alerts_v2 | Microsoft Learn.Endpoint: https://graph.microsoft.com/beta/security/alerts_v2/{alert-id}
From the response, capture:
alertCorrelationId(DetectorId)startDateTime(firstActivityDateTime)endDateTime(lastActivityDateTime)
Note: Alert must be a DLP alert.
Screenshot: Example response from the alerts_v2 Graph API showing a Defender DLP alert and correlation details:
Step 2: Query DLP event data using the correlation details.
Endpoint: https://graph.microsoft.com/beta/security/dlpAlertEvent
Example filter: $filter=alertCorrelationId eq '{alertCorrelationId}'
and startDateTime ge {startDateTime}
and endDateTime le {endDateTime}
The response returns events where auditRecord contains the event JSON.
What you can do to prepare:
No action is required if you don’t use Graph APIs for alert/event export or automation.
If you do use these APIs, we recommend the following:
- Update SIEM connectors / scripts / playbooks that currently join data from Graph + Management APIs, so they can use the enriched Graph experience for correlation.
- Validate with a DLP alert in a test environment during Public Preview (late May–early June 2026) to confirm your parsing of the auditRecord JSON and your time-window logic.
Prerequisites
Baseline access: Users must have the Security Reader role to access alerts and events via the API.
- SecurityEvents.Read.All
- SecurityAlerts.Read.All
- CustomTags.Read.All
Note:
- If a user has the Security Reader role and calls the API, they will receive output without sensitive information
- If the user also has the Data Classification Content Viewer role (Purview RBAC), the output will include sensitive information.
Compliance considerations:
| Area | Explanation |
|---|---|
| Alters how existing customer data is accessed | Introduces a new Microsoft Graph API method to retrieve DLP event (rule match) data alongside Defender alerts, provided simpler way of accessing and correlating existing data. |
| Alters admin monitoring/reporting capabilities | Enables simplified export and correlation of DLP alert and event data, improving SIEM integration and compliance reporting workflows. |
| Supports third-party integrations | The enriched API is designed to integrate with SIEM and other external tools, enabling automated workflows and data export to third-party systems. |
| Admin control and access governance | Access is governed by Graph permissions and Purview RBAC roles; while configurable, no new dedicated admin toggle is introduced. |