Scribd
Upload
2 views

and PowerShell

This document provides a guide for automating Data Loss Prevention (DLP) incident resolution using Power Automate and PowerShell. It outlines the steps to create a flow or script that resolves incidents based on specific criteria, such as the sender being an HR user and the email content containing 'offer letter'. The document includes detailed instructions for setting up the automation, including fetching incidents, filtering them, and updating their status to resolved.

Uploaded by

cooljimit18
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
2 views

and PowerShell

This document provides a guide for automating Data Loss Prevention (DLP) incident resolution using Power Automate and PowerShell. It outlines the steps to create a flow or script that resolves incidents based on specific criteria, such as the sender being an HR user and the email content containing 'offer letter'. The document includes detailed instructions for setting up the automation, including fetching incidents, filtering them, and updating their status to resolved.

Uploaded by

cooljimit18
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Automating DLP Incident Resolution with Power Automate and PowerShell

Automating with Power Automate

This guide provides step-by-step instructions for automating DLP incident resolution in Microsoft

Purview using Power Automate.

### Scenario

DLP incidents are resolved if:

1. The sender matches a predefined list of HR users.

2. The content of the email contains the term "offer letter".

Step 1: Create a New Flow

1. Go to Power Automate (https://flow.microsoft.com).

2. Click Create > Automated Cloud Flow.

3. Name your flow (e.g., Resolve HR DLP Incidents).

4. Set the trigger as Recurrence to schedule periodic runs (e.g., hourly or daily).

Step 2: Fetch DLP Incidents

1. Add an HTTP Action.

- Method: GET.

- URL: https://<your-instance>.microsoft.com/api/dlp/incidents.
- Headers:

- Authorization: Bearer <access_token>.

- Content-Type: application/json.

2. Test the flow to ensure it successfully retrieves incidents.

Step 3: Define HR Users

1. Add a step: Initialize Variable.

- Name: HRUsers.

- Type: Array.

- Value:

"[email protected]",

"[email protected]",

"[email protected]",

"[email protected]",

"[email protected]"

Step 4: Loop Through Incidents and Filter

1. Add an action: Apply to Each.

- Use the output of the HTTP Action as the array to loop through.

2. Inside the loop, add a condition:

- Check if the sender is in the HRUsers array:


contains(variables('HRUsers'), items('Apply_to_each')?['sender']?['mail'])

- Check if the content contains "offer letter":

contains(toLower(items('Apply_to_each')?['content']), 'offer letter')

3. Combine the conditions using AND.

Step 5: Resolve Matching Incidents

1. Inside the true branch of the condition, add another HTTP Action to resolve the incident.

- Method: PATCH.

- URL: https://<your-instance>.microsoft.com/api/dlp/incidents/<incident_id>.

- Replace <incident_id> dynamically using items('Apply_to_each')['id'].

- Headers:

- Authorization: Bearer <access_token>.

- Content-Type: application/json.

- Body:

"status": "Resolved",

"comments": "Automatically resolved for HR offer letter"

Step 6: Save and Test

1. Save the flow and manually test it to ensure incidents are resolved for matching conditions.

2. Check Microsoft Purview to confirm the updated status of resolved incidents.


Automating with PowerShell

This section describes how to achieve the same automation using PowerShell.

### Scenario

The PowerShell script resolves DLP incidents if:

1. The sender matches a predefined list of HR users.

2. The content of the email contains "offer letter".

Step 1: Define HR Users

1. Define a static list of HR users in the script.

Example:

$HRUsers = @(

"[email protected]",

"[email protected]",

"[email protected]",

"[email protected]",

"[email protected]"

Step 2: Authenticate to Microsoft Purview API

1. Use the following code snippet to authenticate:


$ClientId = "<Your-Client-ID>"

$ClientSecret = "<Your-Client-Secret>"

$TenantId = "<Your-Tenant-ID>"

$TokenUrl = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"

$Body = @{

grant_type = "client_credentials"

client_id = $ClientId

client_secret = $ClientSecret

scope = "https://graph.microsoft.com/.default"

$Response = Invoke-RestMethod -Method Post -Uri $TokenUrl -Body $Body

$AccessToken = $Response.access_token

Step 3: Fetch DLP Incidents

1. Use the following code to fetch incidents:

$PurviewEndpoint = "https://<your-instance>.microsoft.com/api/dlp/incidents"

$Headers = @{

Authorization = "Bearer $AccessToken"

"Content-Type" = "application/json"

$Incidents = Invoke-RestMethod -Method Get -Uri $PurviewEndpoint -Headers $Headers

Step 4: Filter and Resolve Incidents


1. Filter incidents for matching HR users and content:

$FilteredIncidents = $Incidents.value | Where-Object {

$HRUsers -contains $_.sender.mail -and $_.content -match "offer letter"

2. Resolve incidents:

foreach ($Incident in $FilteredIncidents) {

$IncidentId = $Incident.id

$UpdateEndpoint = "$PurviewEndpoint/$IncidentId"

$Body = @{

status = "Resolved"

comments = "Automatically resolved for HR offer letter"

} | ConvertTo-Json -Depth 10

Invoke-RestMethod -Method Patch -Uri $UpdateEndpoint -Headers $Headers -Body $Body

You might also like