Edit

Stream data from Microsoft Purview Information Protection to Microsoft Sentinel

  • Article

This article describes how to stream data from Microsoft Purview Information Protection (formerly Microsoft Information Protection or MIP) to Microsoft Sentinel. You can use the data ingested from the Microsoft Purview labeling clients and scanners to track, analyze, report on the data, and use it for compliance purposes.

Important

The Microsoft Purview Information Protection connector is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Overview

Auditing and reporting are an important part of organizations' security and compliance strategy. With the continued expansion of the technology landscape that has an ever-increasing number of systems, endpoints, operations, and regulations, it becomes even more important to have a comprehensive logging and reporting solution in place.

With the Microsoft Purview Information Protection connector, you stream auditing events generated from unified labeling clients and scanners. The data is then emitted to the Microsoft 365 audit log for central reporting in Microsoft Sentinel.

With the connector, you can:

  • Track adoption of labels, explore, query, and detect events.
  • Monitor labeled and protected documents and emails.
  • Monitor user access to labeled documents and emails, while tracking classification changes.
  • Gain visibility into activities performed on labels, policies, configurations, files and documents. This visibility helps security teams identify security breaches, and risk and compliance violations.
  • Use the connector data during an audit, to prove that the organization is compliant.

Azure Information Protection connector vs. Microsoft Purview Information Protection connector

This connector replaces the Azure Information Protection (AIP) data connector. The Azure Information Protection (AIP) data connector uses the AIP audit logs (public preview) feature.

Important

As of March 31, 2023, the AIP analytics and audit logs public preview will be retired, and moving forward will be using the Microsoft 365 auditing solution.

For more information:

When you enable the Microsoft Purview Information Protection connector, audit logs stream into the standardized MicrosoftPurviewInformationProtection table. Data is gathered through the Office Management API, which uses a structured schema. The new standardized schema is adjusted to enhance the deprecated schema used by AIP, with more fields and easier access to parameters.

Review the list of supported audit log record types and activities.

Prerequisites

Before you begin, verify that you have:

Set up the connector

Note

If you set the connector on a workspace located in a different region than your Office 365 location, data might be streamed across regions.

  1. Open the Azure portal and navigate to the Microsoft Sentinel service.

  2. In the Data connectors blade, in the search bar, type Purview.

  3. Select the Microsoft Purview Information Protection (Preview) connector.

  4. Below the connector description, select Open connector page.

  5. Under Configuration, select Connect.

    When a connection is established, the Connect button changes to Disconnect. You're now connected to the Microsoft Purview Information Protection.

Review the list of supported audit log record types and activities.

Disconnect the Azure Information Protection connector

We recommend using the Azure Information Protection connector and the Microsoft Purview Information Protection connector simultaneously (both enabled) for a short testing period. After the testing period, we recommend that you disconnect the Azure Information Protection connector to avoid data duplication and redundant costs.

To disconnect the Azure Information Protection connector:

  1. In the Data connectors blade, in the search bar, type Azure Information Protection.
  2. Select Azure Information Protection.
  3. Below the connector description, select Open connector page.
  4. Under Configuration, select Connect Azure Information Protection logs.
  5. Clear the selection for the workspace from which you want to disconnect the connector, and select OK.

Known issues and limitations

  • Sensitivity label events collected through the Office Management API do not populate the Label Names. Customers can use watchlists or enrichments defined in KQL as the example below.

  • The Office Management API doesn't obtain a Downgrade Label with the names of the labels before and after the downgrade. To retrieve this information, extract the labelId of each label and enrich the results.

    Here's an example KQL query:

    let labelsMap = parse_json('{'
 '"566a334c-ea55-4a20-a1f2-cef81bfaxxxx": "MyLabel1",'
 '"aa1c4270-0694-4fe6-b220-8c7904b0xxxx": "MyLabel2",'
 '"MySensitivityLabelId": "MyLabel3"'
 '}');
 MicrosoftPurviewInformationProtection
 | extend SensitivityLabelName = iif(isnotempty(SensitivityLabelId), 
tostring(labelsMap[tostring(SensitivityLabelId)]), "")
 | extend OldSensitivityLabelName = iif(isnotempty(OldSensitivityLabelId), 
tostring(labelsMap[tostring(OldSensitivityLabelId)]), "")

  • The MicrosoftPurviewInformationProtection table and the OfficeActivity table might include some duplicated events.

Next steps

In this article, you learned how to set up the Microsoft Purview Information Protection connector to track, analyze, report on the data, and use it for compliance purposes. To learn more about Microsoft Sentinel, see the following articles: