Threat Intelligence & Human Risk

CRH02 Closing the Loop: How a Small Security Team Refined an Enterprise-grade DLP solution

11/19/2026

8:00am - 9:15am

Level: Advanced

Tatu Seppälä

Microsoft MVP Security

Security Architect

Sulava

Managing an enterprise-grade DLP solution tends to mean getting buried under an endless mountain of audit logs, scrambling to apply exclusions and refinements to controls based on sporadic incident tickets, end user complaints and assorted dumpster fires.

For example, when users are constantly uploading files to an ever-changing array of cloud services, keeping your Endpoint DLP authorized domain list accurate to exclude approved services from file upload controls can rapidly overwhelm a small security team.

This session introduces a practical, automated approach to solving this issue, based on a solution adopted successfully by real security teams in the field. We will explore how to set up a continuous refinement loop that does the heavy lifting for you, leveraging smart Endpoint DLP audit rules, the Graph API runHuntingQuery endpoint and Azure Logic Apps to bring actionable intelligence directly to security responsibles, right in the flow of everyday work in Teams.

In this session, you will learn how to:

  • Set up dedicated Endpoint DLP rules and other technical pre-requisites to silently monitor file uploads against your baseline of approved domains.
  • Use Logic Apps to automatically query the Graph API runHuntingQuery endpoint and gather audit events of unauthorized file uploads.
  • Filter weekly audit findings into a clean, concise and actionable report, supported by a more comprehensive CSV dataset.
  • Deliver these insights straight into a Teams channel so admins can effortlessly review and update allowed domains in minutes.

We also discuss useful ways to extend and enrich this approach by integrating with managed GenAI services such as Azure OpenAI.

The proven pattern explained and demonstrated in this session is one you can apply to countless other security and governance scenarios going forward, helping manage sprawl and helping keep your organization secure with less friction.

This session is well-suited for security responsibles and admins, IT Pros as well as anyone interested in effectively operationalizing security solution refinement with limited resources.

You will learn:

  • Understand the set-up process and pre-requisites for automated unauthorized file upload auditing
  • Discover how to automatically prepare and send audit reports with Logic Apps calling the Graph API runHuntingQuery endpoint
  • Get inspired to apply the same or similar pattern in other processes and see the value of GenAI enrichment in regular solution enrichment