Combat Alert Overload with Security Copilot Alert Triage Agents for DLP & IRM
Seattle WA, USA– May 12, 2025.
In my previous post, I provided an overview of the new Microsoft Security Copilot agents announced at RSA. Here I want to dive a little bit deeper into two specific agents: the Alert Triage Agent for Data Loss Prevention (DLP) and the Alert Triage Agent for Insider Risk Management (IRM). We’ll talk about them together, as they provide similar capabilities and are both leveraged from the Purview portal.
The Problem
So many data security admins are overwhelmed by the amount of alerts they receive from their DLP rules and IRM policies. It’s a very common problem that spans industries, vendors, and geographies; Microsoft recently sponsored a study that found that the average data security team only has time to address about 60% of the alerts they see on a given day. In that same study, Microsoft found that a data security admin is assigned an average of 66 alerts per day. That means about 25 alerts go unresolved per admin per day. That adds up quickly! We’ve helped many organizations optimize their Purview configurations to reduce false positives and surface high-impact cases; however, many organizations still suffer from alert overload.
This is the issue that the Security Copilot Alert Triage Agents for DLP and IRM seek to solve.
The Solution
The Alert Triage Agent for DLP can analyze all alerts that are generated across the Microsoft DLP policies in your organization and organize them into groups of high priority (“Needs attention”) and low priority (“Less urgent”), presented back to you directly in the Purview portal. Now our data security admin has a list of alerts they should start with, based on the AI’s analysis across different factors, and can spend their time more effectively.
The agent can use a variety of factors, from signal across Microsoft 365 and beyond, in determining which alerts should be prioritized. For example, the agent can use combinations of the following to determine if an alert should be prioritized:
- Type of sensitive information, such as a specific label or sensitive information type (SIT)
- User factors, such as the user’s risk score or whether the user has performed a similar risky action recently
- Action sequence, which can help determine if the data exfiltration action was performed in combination with other suspicious activities, such as deleting the file after sharing it
- Feedback from the data security admin, who can indicate factors that make an alert a higher priority for your specific organization

The agent provides the triaged alerts, as well as its reasoning, in plain text, directly in the Purview portal. Our data security admin can then quickly understand context around an alert and how to frame feedback to the agent to help it learn to better triage alerts for your organization. For example, if you create a new SIT to discover information around a new top-secret project in the organization, you can present that feedback to the agent, which will then use that in its reasoning and be more likely to surface alerts with that new prioritized SIT.
The agent for IRM works similarly to analyze IRM alerts. In the same manner as I described above, the IRM agent triages alerts from IRM to surface those that are more likely to significantly impact the organization. The data security admin then has a prioritized list of what to tackle first. The admin can also provide feedback to the agent to help increase its accuracy in the future.
These two agents save data security admins time by providing initial triage and collecting relevant data about the alerts in its analysis. Also, and more importantly, these agents improve the team’s ability to combat data security incidents by ensuring that they focus on the alerts most likely to impact the organization. Remember the 25 daily alerts that the average data security admin doesn’t have time to resolve? With these agents, those most serious alerts will never fall into that category.

E-Vigilant: Another Approach
Alert overload is one of the problems our proprietary E-Vigilant solution also solves, though it uses a different strategy compared to the agents discussed above. E-Vigilant uses workflows to notify the author, the author’s manager, and other common personas to leverage their contextual knowledge in decision-making that is unavailable to the typical data security admin.
Let’s look at a simple example. Say an organization has a DLP policy that discovers credit card numbers sent externally and alerts the administrator. Two users, both who share the same manager, trigger the DLP policy when they send multiple documents containing credit card numbers to external email addresses that they have not communicated with before. A custom E-Vigilant policy discovers the DLP alerts and initiates a workflow that automatically sends this information to the users’ manager via a Microsoft Teams chatbot. The manager reviews the incidents. The manager knows that our first user has just taken on a new set of responsibilities and hired new partners to process sensitive information, like credit card numbers, and approves this action in Teams. The manager also knows that our second user was recently passed over for a promotion and has no responsibilities for the type of information the DLP rule has discovered. This raises concerns for our manager, who escalates this incident with this contextual knowledge, to the data security team to respond. E-Vigilant can also add more immediate and impactful actions to this workflow, through Microsoft 365 workloads and integration with other applications, such as ServiceNow.
As you can see, these two solutions offer different ways to achieve the same result: more easily surface the highest-impact data security incidents. Using both the Security Copilot Alert Triage Agents and E-Vigilant can provide defense-in-depth, leveraging the best of both worlds in artificial intelligence and contextual knowledge.
E-Vigilant can also extend to additional M365 workloads to provide automatic alerts, notifications, and actions across different Microsoft technologies. For more information about E-Vigilant, see the following resources:
For more information about the Alert Triage Agents for DLP and IRM, see the following resources:
Author

Micah LaNasa
Consultant Lead