Activity Explorer & Data Monitoring
Activity Explorer shows what's happening to your data β who's labelling, sharing, and accessing sensitive content. Combined with alerts from DLP, Insider Risk, and Communication Compliance, it gives you full visibility.
Your data monitoring toolkit
Think of three different security camera views.
Content Explorer = the inventory camera β shows you WHAT sensitive data exists and WHERE. βThere are 340 documents with credit card numbers in the Finance SharePoint site.β
Activity Explorer = the motion camera β shows you WHATβS HAPPENING to that data. β12 users downloaded labelled documents this week. 3 DLP policies triggered.β
Alerts = the alarm system β notifies you when something needs immediate attention. βSam just tried to email a Confidential file externally.β
Content Explorer β what data do you have?
Content Explorer lets you browse sensitive content discovered across your tenant:
| What It Shows | Example |
|---|---|
| Sensitive info type matches | 847 documents with credit card numbers |
| Sensitivity label distribution | 2,400 files labelled Confidential, 180 labelled Highly Confidential |
| Trainable classifier matches | 95 documents classified as βContractsβ by AI |
| Location breakdown | Finance SharePoint: 340 sensitive docs. HR SharePoint: 210 sensitive docs |
Key exam concept: Content Explorer answers βWHAT sensitive data do we have and WHERE?β β itβs the discovery tool. You use it BEFORE setting up DLP policies to understand what you need to protect.
Activity Explorer β whatβs happening to your data?
Activity Explorer shows real-time data about user activities:
| Activity Type | What It Tracks |
|---|---|
| Labelling | Sensitivity labels applied, changed, or removed |
| DLP matches | Policies triggered, actions taken (warn, block) |
| File activities | Copies, moves, downloads, prints, uploads |
| Sharing | Internal and external sharing events |
| Endpoint activities | USB copies, cloud uploads from devices |
Scenario: Priya investigates a data trend
Priya (Northwaveβs Compliance Officer) uses Activity Explorer weekly:
This weekβs findings:
- π 47 βlabel removedβ events (users removing Confidential labels before sharing)
- π΄ 12 DLP blocks (mostly Marketing sharing campaign data externally)
- π 3 files copied to USB drives (flagged by endpoint DLP)
- β οΈ 1 user removed labels on 15 documents in one hour
Actions:
- Investigate the label-removal trend β are users deliberately bypassing protection?
- Review DLP blocks with Marketing β are the policies too strict, or is there a real risk?
- Follow up on the USB copy events β is this an authorised data transfer?
- Escalate the single-user label removal β possible Insider Risk case
Alerts across Purview tools
Each Purview tool generates its own alerts:
| Alert Source | What Triggers It | Where to Review |
|---|---|---|
| DLP alerts | Sensitive data sharing matches a DLP policy | Purview β DLP β Alerts |
| Insider Risk alerts | User behaviour matches a risk pattern | Purview β Insider Risk β Alerts |
| Communication Compliance alerts | Message content matches a compliance policy | Purview β Communication Compliance β Alerts |
| DSPM for AI alerts | Sensitive data accessed via AI tools | Purview β DSPM for AI |
The alert lifecycle
- Triggered β automatic based on policy match
- Review β admin investigates the alert details
- Action β resolve, escalate, dismiss as false positive
- Close β mark as resolved with resolution notes
π¬ Video walkthrough
Flashcards
Knowledge Check
Priya wants to understand what types of sensitive data exist across Northwave's SharePoint sites BEFORE creating DLP policies. Which tool should she use first?
Next up: Oversharing in SharePoint β the #1 risk for Copilot deployments and the tools to detect and fix it.