manage_dlp_incidents
Investigate and manage Data Loss Prevention policy violations by reviewing incidents, applying remediation actions, and sending user notifications.
Instructions
Investigate and manage DLP policy violations and incidents including user notifications and remediation actions.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| action | Yes | DLP incident management action | |
| incidentId | No | DLP incident ID | |
| dateRange | No | Date range filter | |
| severity | No | Incident severity | |
| status | No | Incident status | |
| policyId | No | Associated policy ID |
Implementation Reference
- src/handlers/dlp-handler.ts:82-145 (handler)The core handler function that implements the manage_dlp_incidents tool. It processes actions like list, get, resolve, and escalate for DLP incidents using Microsoft Graph API endpoints such as /security/alerts_v2.export async function handleDLPIncidents( graphClient: Client, args: DLPIncidentArgs ): Promise<{ content: { type: string; text: string }[] }> { let apiPath = ''; let result: any; switch (args.action) { case 'list': // List DLP incidents from security events apiPath = '/security/alerts_v2'; const filterConditions: string[] = []; if (args.dateRange) { filterConditions.push(`createdDateTime ge ${args.dateRange.startDate} and createdDateTime le ${args.dateRange.endDate}`); } if (args.severity) { filterConditions.push(`severity eq '${args.severity}'`); } if (filterConditions.length > 0) { apiPath += `?$filter=${filterConditions.join(' and ')}`; } result = await graphClient.api(apiPath).get(); break; case 'get': if (!args.incidentId) { throw new McpError(ErrorCode.InvalidParams, 'incidentId is required for get action'); } apiPath = `/security/alerts_v2/${args.incidentId}`; result = await graphClient.api(apiPath).get(); break; case 'resolve': if (!args.incidentId) { throw new McpError(ErrorCode.InvalidParams, 'incidentId is required for resolve action'); } apiPath = `/security/alerts_v2/${args.incidentId}`; result = await graphClient.api(apiPath).patch({ status: 'resolved', feedback: 'truePositive' }); break; case 'escalate': if (!args.incidentId) { throw new McpError(ErrorCode.InvalidParams, 'incidentId is required for escalate action'); } apiPath = `/security/alerts_v2/${args.incidentId}`; result = await graphClient.api(apiPath).patch({ severity: 'high', classification: 'truePositive' }); break; default: throw new McpError(ErrorCode.InvalidParams, `Invalid action: ${args.action}`); } return { content: [{ type: 'text', text: JSON.stringify(result, null, 2) }] }; }
- src/server.ts:701-719 (registration)The MCP server tool registration for 'manage_dlp_incidents'. Registers the handler function handleDLPIncidents with the input schema dlpIncidentSchema and appropriate annotations."manage_dlp_incidents", "Investigate and manage DLP policy violations and incidents including user notifications and remediation actions.", dlpIncidentSchema.shape, {"readOnlyHint":false,"destructiveHint":false,"idempotentHint":false}, wrapToolHandler(async (args: DLPIncidentArgs) => { this.validateCredentials(); try { return await handleDLPIncidents(this.getGraphClient(), args); } catch (error) { if (error instanceof McpError) { throw error; } throw new McpError( ErrorCode.InternalError, `Error executing tool: ${error instanceof Error ? error.message : 'Unknown error'}` ); } }) );
- src/tool-definitions.ts:242-252 (schema)Zod input schema definition for the manage_dlp_incidents tool, defining parameters like action, incidentId, dateRange, severity, etc.export const dlpIncidentSchema = z.object({ action: z.enum(['list', 'get', 'resolve', 'escalate']).describe('DLP incident management action'), incidentId: z.string().optional().describe('DLP incident ID'), dateRange: z.object({ startDate: z.string().describe('Start date'), endDate: z.string().describe('End date'), }).optional().describe('Date range filter'), severity: z.enum(['Low', 'Medium', 'High', 'Critical']).optional().describe('Incident severity'), status: z.enum(['Active', 'Resolved', 'InProgress', 'Dismissed']).optional().describe('Incident status'), policyId: z.string().optional().describe('Associated policy ID'), });
- src/types/dlp-types.ts:43-53 (schema)TypeScript interface DLPIncidentArgs defining the input parameters for the DLP incidents handler, matching the Zod schema.export interface DLPIncidentArgs { action: 'list' | 'get' | 'resolve' | 'escalate'; incidentId?: string; dateRange?: { startDate: string; endDate: string; }; severity?: 'Low' | 'Medium' | 'High' | 'Critical'; status?: 'Active' | 'Resolved' | 'InProgress' | 'Dismissed'; policyId?: string; }
- src/tool-metadata.ts:115-118 (helper)Tool metadata providing enhanced description, title, and annotations (readOnlyHint, destructiveHint, etc.) for the manage_dlp_incidents tool.manage_dlp_incidents: { description: "Investigate and manage DLP policy violations and incidents including user notifications and remediation actions.", title: "DLP Incident Manager", annotations: { title: "DLP Incident Manager", readOnlyHint: false, destructiveHint: false, idempotentHint: false, openWorldHint: true }