Step 1 - Understand the scenario
The security manager is receiving an email every time a Data Loss Prevention (DLP) policy match occurs.
The requirement is to reduce the number of unnecessary alerts and only notify for meaningful or actionable violations.
Step 2 - Analyze each option
A). From the Microsoft Defender portal, apply a filter to the alerts.
This action would only filter what is displayed in the portal. It does not prevent the security manager from receiving email notifications each time a DLP match occurs. This does not solve the problem.
B). From the Microsoft Purview portal, modify the Policy Tips settings of a DLP policy.
Policy Tips are intended for end users inside Outlook, Word, Excel, or PowerPoint to guide them about sensitive information before they send or share content. They do not change how or when admin alert notifications are triggered.
C). From the Microsoft Purview portal, modify the matched activities threshold of an alert policy.
DLP alert policies allow configuration of thresholds such as the number of matches, severity levels, and repeated activity counts. By adjusting the matched activities threshold, alerts can be generated only when a violation reaches a significant level, which reduces unnecessary alerts and ensures that notifications are sent only for actionable events. This matches the requirement.
D). From the Microsoft Purview portal, modify the User overrides settings of a DLP policy.
User override settings allow end users to bypass a DLP restriction if they provide a justification, but this does not impact the number of alert notifications sent to the security manager.
Step 3 - Microsoft Reference
According to Microsoft documentation: "You can configure alert policies with thresholds to reduce the number of alert notifications and focus only on actionable DLP events." Reference: DLP alert management in Microsoft Purview