Microsoft Purview | Data Loss Prevention - Enrich Defender alerts Graph API with DLP event data

Introduction

To help security and compliance teams more easily correlate Microsoft Purview Data Loss Prevention (DLP) activity with Microsoft Defender alerts, we’re enriching Microsoft Graph security APIs so DLP event (rule match) details can be retrieved alongside Defender alert data. This simplifies exporting data to SIEM tools, building automated workflows, and generating custom reports without needing to stitch together data from multiple APIs.

This message is associated with Microsoft 365 Roadmap ID 558681.

When this will happen:

• Public Preview: Rollout begins in late May 2026 and is expected to complete early June 2026.
• General Availability (Worldwide): Rollout begins in late June 2026 and is expected to complete early July 2026.

How this affects your organization:

Who is affected:

• Admins, security engineers, and developers who use Microsoft Graph Security APIs to retrieve Defender alerts and/or Purview DLP event data for reporting, investigations, SIEM integration, or automation.
• This applies only to DLP-related Defender alerts (the DLP events query will not return results for non-DLP alerts).

What will happen:

Before this update:

Alert data is available through Microsoft Graph Security APIs, while DLP rule match event details are available through the Management API. Customers who need to correlate alerts with underlying DLP activity must retrieve data from multiple APIs and manually join the results.

With this update:

• Microsoft Graph will include DLP event data associated with Defender alerts.
• This enables simplified correlation and integration without relying on multiple APIs.
• There is no impact to user experience.

The following table shows the combined data available through this enhancement:

Admin experience (high level flow):

Endpoint: https://graph.microsoft.com/beta/security/alerts_v2/{alert-id}

From the response, capture:

• alertCorrelationId (DetectorId)
• startDateTime (firstActivityDateTime)
• endDateTime (lastActivityDateTime)

Note: Alert must be a DLP alert.

Screenshot: Example response from the alerts_v2 Graph API showing a Defender DLP alert and correlation details:

Step 2: Query DLP event data using the correlation details.

Endpoint: https://graph.microsoft.com/beta/security/dlpAlertEvent

Example filter: $filter=alertCorrelationId eq '{alertCorrelationId}' and startDateTime ge {startDateTime} and endDateTime le {endDateTime}

The response returns events where auditRecord contains the event JSON.

What you can do to prepare:

No action is required if you don’t use Graph APIs for alert/event export or automation.

If you do use these APIs, we recommend the following:

• Update SIEM connectors / scripts / playbooks that currently join data from Graph + Management APIs, so they can use the enriched Graph experience for correlation.
• Validate with a DLP alert in a test environment during Public Preview (late May–early June 2026) to confirm your parsing of the auditRecord JSON and your time-window logic.

Prerequisites

Baseline access: Users must have the Security Reader role to access alerts and events via the API.

• SecurityEvents.Read.All
• SecurityAlerts.Read.All
• CustomTags.Read.All

Note:

• If a user has the Security Reader role and calls the API, they will receive output without sensitive information
• If the user also has the Data Classification Content Viewer role (Purview RBAC), the output will include sensitive information.

Compliance considerations: