Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In preview, Microsoft Purview network data security enables organizations to ingest and classify HTTP and HTTPS network traffic from third-party network security solutions. This feature uses Microsoft Purview Data Loss Prevention (DLP) capabilities, and the classifiers that you already use in other Microsoft Purview policies, and collection policies (preview), to give you insight into sensitive data that is being shared with generative AI and other unmanaged cloud apps.
With network data security, you can identify sensitive items that are being shared through these interactions:
- Interactions with generative AI through browsers, apps, and add-ins, such as Chat GPT, Gemini, and Claude.
- Files uploaded to unsanctioned cloud storage providers, including Dropbox, Box, and Google Drive.
- Emails and file attachments shared with cloud email providers, such as Gmail.
- Form submissions through online form services, including Google Forms.
- Social media posts on common services like Facebook and X.
Before you begin
If you're new to Microsoft Purview collection policies, Microsoft Purview pay-as-you-go billing models, or Microsoft Purview DLP, you should familiarize yourself with the information in these articles:
- Collection Policies solution overview (preview)
- Learn about data loss prevention
- Learn about Microsoft Purview billing models
- Get started with activity explorer
Licensing
For information on licensing, see
Network data security requires both E5 per-seat licenses and the pay-as-you-go billing model. If your organization doesn't have pay-as-you-go setup for your Microsoft 365 tenant, you must configure that before you can use the network data security feature. The pay-as-you-go billing model allows you to pay for the Microsoft Purview features that you use and are enabled for it. This model is designed to be flexible and cost-effective, allowing you to scale your usage up or down as needed.
For information on setting up the pay-as-you-go billing model, see Enable Microsoft Purview pay-as-you-go features for new customers.
How network data security works
From a broad perspective, the Microsoft Purview network data security solution combines two components:
Network security solution
The network data security solution integrates your secure access service edge (SASE) solutions directly into Microsoft Purview. The network security solutions monitor network traffic and send the data to Microsoft Purview. Microsoft Purview classifies the data by using the same classifiers that you use in other Microsoft Purview policies. The network security solution sends the data to Microsoft Purview asynchronously.
For more information on which SASE solutions are supported, see Microsoft Purview Data Loss Prevention Integrations page.
Microsoft Purview
You configure the integration between Microsoft Purview and the network security solution in DLP settings Integrations tab. This integration establishes the bidirectional communication channel between the network security solution and Microsoft Purview.
Next, configure a collection policy (preview) that defines the conditions, activities, and data sources of network data that you want the network security solution to collect and send to Microsoft Purview. For more information on how to create a collection policy for network data security, see Scenario 1 Detect sensitive data shared with unmanaged cloud apps via network (preview).
Microsoft Purview sends the collection policy configuration to your SASE solution, and the SASE solution sends the sensitive data matches to Microsoft Purview for classification asynchronously. If you configure content capture in the collection policy, the conversation that happens between the user and the AI app is captured and sent to Microsoft Purview as well.
After the data is classified, it's available in activity explorer and activity explorer in DSPM for AI.
After you configure the integration between Microsoft Purview and your network security solution, allow up to 24 hours for your collection policies to be distributed to the network security solution and for the first data to show up. Once the two services fully communicate with each other, it can take up to 30 minutes for data about a request from a client to a website or cloud app to appear in the audit log and activity explorer.
Supported network data security collection policy configuration
The Microsoft Purview side of the configuration is done via a collection policy. Here are the configuration options that are supported in public preview:
- Conditions - The conditions you can use in a network data security collection policy are the same as the conditions you can use in other Microsoft Purview policies. For example, you can use the Content contains > Sensitive information types condition to classify sensitive items that are being shared with generative AI and other unmanaged cloud apps.
Note
Network data security doesn't support the file size and file extension conditions.
- Activities - Network data security supports four activities:
- Text sent to or shared with cloud or AI app.
- File uploaded to or shared with cloud or AI app.
- Text received from cloud or AI app.
- File downloaded from cloud or AI app.
 
Note
The activities supported may differ depending on integrated SASE solution. Check with your SASE solution provider for details on supported activities.
- Data sources - These are the locations that the endpoint device is communicating with.
- Unmanaged cloud apps - Network data security collection policies support all the sources that are in the Microsoft Defender for Cloud Apps Cloud app catalog which includes over 34,000 discoverable cloud apps.
- Adaptive scopes - all apps categorized as generative AI.
 
Default policy from Microsoft Purview Data Security Posture Management for AI
Microsoft Purview Data Security Posture Management for AI (DSPM for AI) offers recommendations to help monitor communications with generative AI apps. Select the recommendation Extend insights into sensitive data in AI app interactions to create a one-click policy named DSPM for AI - Detect sensitive info shared with AI via network. After it's created, you can edit this default policy for network data security as you would any collection policy.
Supported network protocols
In preview, network data security supports classifying traffic sent from an endpoint device over HTTP and HTTPS protocols to websites, cloud apps, and generative AIs.
Accessing network data security data
Data from network data security appear in activity explorer and Data Security Posture Management for AI activity explorer events.
Activity explorer
In activity explorer, you can filter on enforcement plane set to network. This filter shows you classification events that network data security collection policies generate.
Billing model
Network data security uses the request as unit of measure for pay-as-you-go billing purposes. A request is each network call made from a device or browser to a website or API. This definition doesn't include the responses to the requests. For more information on pay-as-you-go billing for network data security, see Other Microsoft Purview solutions that use pay-as-you-go pricing and Requests.
Here are some examples:
| Activity | Data type | Example | 
|---|---|---|
| Text sent to or shared with cloud or AI app | Human readable strings transmitted inline | - submitting a form with textual information - sending raw text or a prompt to a generative AI - the body of an email - sending JSON data to an API | 
| File uploaded to or shared with cloud or AI app | Byte streams, including text based file, binary files, txt files, source code, documents, images, videos, .exe's, .pdf's, archive files | - Uploading a profile picture to social media - sending a document or .pdf file as an email attachment - sharing a document with generative AI - transferring a document or .zip files to a cloud storage solution |