Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Collection policies are an event collection and filtering tool in Microsoft Purview that enables monitoring and classification of events from apps and locations that lay both inside of and beyond your organizations trust boundaries. They let you filter which events from both untrusted and trusted sources are ingested into Purview. Once ingested, that data can be classified and used by various Microsoft Purview signal consuming solutions, such as Microsoft Purview Activity explorer, Microsoft Purview Insider Risk Management, Microsoft Purview eDiscovery, Microsoft Purview Data Lifecycle Management.
Collection policies can help you achieve these data security outcomes:
Only ingest the events that you want
The primary purpose of collection policies is to enable you to define the events that your organization wants to bring into Microsoft Purview, so you can focus on the data that you care about. Here are some examples of how this capability can help you.
Regulatory compliance by geopolitical ___location
Your organization may span geopolitical and regulatory boundaries with different regions having different data security and privacy requirements. One may require all events be ingested into Purview, while another area may be subject to restrictions on what events can be collected. Collection policies let you define the events that are collected for each region. This allows you to meet the data security and privacy requirements of each region while still having a single consolidated view into your organization's sensitive information.
Filter out unnecessary events
Your organization may have many events that are being collected, but you only want to see the events that are relevant to your needs. For example, say your organization has onboarded all devices and enabled Always audit file activity for devices in Endpoint DLP settings. This means that all file activity is being collected and placed into activity explorer. Sifting through all events may slow event investigation as you sort out the unwanted data to get to the data you need. With collection policies, you can filter out the events that you don't want to see before they get to activity explorer. This can help reduce noise and make it easier to find the events that are relevant to your organization.
How collection policies work
The key to understanding collection policies is to know what an event is.
An event is made up of two things:
- A condition, like Content contains, or File extension is. This requires the use of classifiers, like sensitive information types. For example, a condition could be Content contains a sensitive information type, like U.S. Social Security Number or File extension is .docx.
- An activity that a user can take on a sensitive item, like File copied to removable media
Collection policies filter events based on:
- A match to one or more conditions and activities defined in the event.
- A match to the data source or ___location where the event is happening. For example, a collection policy can be scoped to only collect events from devices, or only collect events from Microsoft Security Copilot for Fabric.
A policy is considered matched when one or more of the conditions are met (unless you AND the conditions) and the activity is matched on the data source.
Multiple collection policies for single data source
It's possible your organization will need to create multiple collection policies for any given data source. Collection policies handle the multiple policy scenario differently than DLP or other Purview policies, which assign a priority to policy evaluation based on the order in which the policies are created.
On the collection polices page, you see all the individual policies that have been created. But on the back end, during policy evaluation, Microsoft Purview combines all the collection policies for a data source into a single collection policy for that data source. So all the conditions for a data source are used when identifying matches.
Accessing collection policies
Collection policies are a component of the Microsoft Purview portal Classifiers feature. You can access them from anywhere in the Purview portal where the Classifiers feature is available. For example,
In the Microsoft Purview portal, select Solutions > Data Loss Prevention > Classifiers > Collection policies.
Alternately, you can access collection policies in the Microsoft Purview portal from Solutions > Information Protection > Classifiers > Collection policies.
Collection policy configuration overview
You have flexibility in how you create and configure your collection policies. All collection policies require the same information from you. You must know this information before you start creating a collection policy. For additional details about each step, including supported configuration, see Collection policies policy reference.
Define data to detect by configuring conditions required for a policy match. There are four supported conditions:
- Content contains classifiers, which makes use of sensitive information types and trainable classifiers. Can be scoped to all classifiers, all classifiers except selected ones, or only specific classifiers.
Note
The devices ___location doesn't support using trainable classifiers.
- Document size equals or is greater than, as measured in bytes, kilobytes (KB), megabytes (MB), gigabytes (GB), or terabytes (TB).
- Document is equal to or smaller than, as measured in bytes, kilobytes (KB), megabytes (MB), gigabytes (GB), or terabytes (TB).
- File extension is, which makes use of file extensions.
- Content contains classifiers, which makes use of sensitive information types and trainable classifiers. Can be scoped to all classifiers, all classifiers except selected ones, or only specific classifiers.
Choose the activities required for a policy match - The supported activities are specific for the data source. For devices, there are 19 supported activities, such as File copied to removable media, File printed, and File uploaded to cloud. A full list of the supported activities is available in the Collection policies policy reference.
Choose where to apply the policy by selecting a data source.
Depending on the policy settings you choose, you may have additional settings to configure, such as whether or not to enable content capture for AI interactions and the cloud apps detection method.
Content capture for AI interactions
To help comply with regulatory requirements, you can decide whether to capture and store all detected prompts and responses from any generative AI data sources added to the policy. This makes it easy to discover and protect the captured content later with additional Microsoft Purview policies and solutions. This capability doesn't include content in files shared with generative AI, and only applies to:
- Copilot experiences
- Enterprise AI
- Unmanaged cloud apps categorized as generative AI
- All unmanaged AI apps adaptive app scope
Without the setting enabled, content detected in prompts and responses are limited to sensitive information only.
Note
To capture AI content, you must have the 'Content contains classifiers' condition set to 'All'.
Collection Policies and Microsoft Purview Inside Risk Management
Depending on your configuration, Microsoft Purview Insider Risk Management policy behavior might be impacted by collection policies. When an insider risk policy is configured, it monitors service and third-party indicators to help you quickly identify, triage, and act on risk activity. Using logs from Microsoft 365 and Microsoft Graph, Insider Risk Management allows you to define specific policies to identify risk indicators. These policies allow you to identify risky activities and to act to mitigate these risks.
Warning
When a collection policy is configured and deployed, if there's a conflict between what the Insider Risk Management policy is configured to monitor and what the collection policy is configured to filter for, the collection policy configuration takes precedence. This means that if an Insider Risk Management policy is configured to monitor a specific activity, but the collection policy is configured to filter out that activity, the activity isn't collected and isn't available for review in Insider Risk Management. This only applies to device indicators in Insider Risk Management policies. If a collection policy is configured to collect something that an Insider Risk Management policy isn't configured for, then the indicator is collected, but Insider Risk Management ignores it.
Collection policies and Endpoint Data Loss Prevention
When Always audit file activity for devices is enabled all activities for Office, PDF, and CSV files are collected by default. If you want to modify which activities are collected for devices in this case, you can do so by configuring a collection policy targeted to devices. If Always audit file activity for devices isn't enabled, activities aren't collected from devices, even if a collection policy is created scoped to devices.
Collection policies can't impact the behavior of DLP policies, only what is collected and recorded for audit file events on devices.
Collection policies and Microsoft Purview Data Security Posture Management and Purview Data Security Posture Management for AI
When you use one-click policies in Microsoft Data Security Posture Management or Microsoft Data Security Posture Management for AI (DSPM for AI), you can take action on recommendations that automatically create collection policies on your behalf.
You can view and monitor the outcomes of these policies in tailored experiences within DSPM and DSPM for AI, as well as in activity explorer. These policies are named automatically by the quick policy experience. Post-creation, these collection policies can be viewed and edited in the same manner as collection policies created using the workflow.