Data Loss Prevention Incident Response with Microsoft

  • Release version: Yokohama
  • Updated July 31, 2025
  • 1 minute to read

    • The Data Loss Prevention Incident Response with Microsoft provides a core framework to import Data Loss Prevention (DLP) incidents from multiple sources, such as Microsoft Purview apps, Microsoft Teams, Exchange Online, SharePoint Online, OneDrive for Business, and other event types.

    Request apps on the Store

    Visit the ServiceNow Store website to view all the available apps and for information about submitting requests to the store. For cumulative release notes information for all released apps, see the ServiceNow Store version history release notes.

    Overview and key features

    The Data Loss Prevention Incident Response integration with Microsoft enables organizations to gain a unified view of incidents across email, network, endpoint, and cloud sources. Endpoint devices enable remediation workflow involving end users, managers, and  DLP  operations team with automated incident assignment and escalations.

    Use the key features of this integration to do the following actions:
    • Create multiple profiles for different accounts.
    • Automate the creation of DLP IR incidents.
    • Map the Microsoft DLP IR event fields to DLP IR incident fields.
    • Filter Microsoft DLP IR events.
    • Schedule the ingestion of DLP IR events that create DLP IR incidents periodically.
    • Store the matching content of each Microsoft DLP event in external cloud storage.
    • Delete matching content at external cloud storage on the deletion of the DLP IR incident in ServiceNow.
    • Download files for DLP IR incidents of type Exchange, OneDrive, and SharePoint.

    Learn about this integration

    Document identifier Document title
    Microsoft product documentation website Microsoft Product Documentation website
    ServiceNow product documentation website ServiceNow Product Documentation website