Stream data from Microsoft Purview Information Protection to Microsoft Sentinel
This article describes how to stream data from Microsoft Purview Information Protection (formerly Microsoft Information Protection or MIP) to Microsoft Sentinel. You can use the data ingested from the Microsoft Purview labeling clients and scanners to track, analyze, report on the data, and use it for compliance purposes.
Important
The Microsoft Purview Information Protection connector is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Overview
Auditing and reporting are an important part of organizations' security and compliance strategy. With the continued expansion of the technology landscape that has an ever-increasing number of systems, endpoints, operations, and regulations, it becomes even more important to have a comprehensive logging and reporting solution in place.
With the Microsoft Purview Information Protection connector, you stream auditing events generated from unified labeling clients and scanners. The data is then emitted to the Microsoft 365 audit log for central reporting in Microsoft Sentinel.
With the connector, you can:
- Track adoption of labels, explore, query, and detect events.
- Monitor labeled and protected documents and emails.
- Monitor user access to labeled documents and emails, while tracking classification changes.
- Gain visibility into activities performed on labels, policies, configurations, files and documents. This visibility helps security teams identify security breaches, and risk and compliance violations.
- Use the connector data during an audit, to prove that the organization is compliant.
Azure Information Protection connector vs. Microsoft Purview Information Protection connector
This connector replaces the Azure Information Protection (AIP) data connector. The Azure Information Protection (AIP) data connector uses the AIP audit logs (public preview) feature.
Important
As of March 31, 2023, the AIP analytics and audit logs public preview will be retired, and moving forward will be using the Microsoft 365 auditing solution.
For more information:
- See Removed and retired services.
- Learn how to disconnect the AIP connector.
When you enable the Microsoft Purview Information Protection connector, audit logs stream into the standardized
MicrosoftPurviewInformationProtection
table. Data is gathered through the Office Management API, which uses a structured schema. The new standardized schema is adjusted to enhance the deprecated schema used by AIP, with more fields and easier access to parameters.
Review the list of supported audit log record types and activities.
Prerequisites
Before you begin, verify that you have:
- The Microsoft Sentinel solution enabled.
- A defined Microsoft Sentinel workspace.
- A valid license to M365 E3, M365 A3, Microsoft Business Basic or any other Audit eligible license. Read more about auditing solutions in Microsoft Purview.
- Enabled Sensitivity labels for Office and enabled auditing.
- The Security Administrator role on the tenant, or the equivalent permissions.
Set up the connector
Note
If you set the connector on a workspace located in a different region than your Office 365 location, data might be streamed across regions.
Open the Azure portal and navigate to the Microsoft Sentinel service.
In the Data connectors blade, in the search bar, type Purview.
Select the Microsoft Purview Information Protection (Preview) connector.
Below the connector description, select Open connector page.
Under Configuration, select Connect.
When a connection is established, the Connect button changes to Disconnect. You're now connected to the Microsoft Purview Information Protection.
Review the list of supported audit log record types and activities.
Disconnect the Azure Information Protection connector
We recommend using the Azure Information Protection connector and the Microsoft Purview Information Protection connector simultaneously (both enabled) for a short testing period. After the testing period, we recommend that you disconnect the Azure Information Protection connector to avoid data duplication and redundant costs.
To disconnect the Azure Information Protection connector:
- In the Data connectors blade, in the search bar, type Azure Information Protection.
- Select Azure Information Protection.
- Below the connector description, select Open connector page.
- Under Configuration, select Connect Azure Information Protection logs.
- Clear the selection for the workspace from which you want to disconnect the connector, and select OK.
Known issues and limitations
Sensitivity label events collected through the Office Management API do not populate the Label Names. Customers can use watchlists or enrichments defined in KQL as the example below.
The Office Management API doesn't obtain a Downgrade Label with the names of the labels before and after the downgrade. To retrieve this information, extract the
labelId
of each label and enrich the results.Here's an example KQL query:
let labelsMap = parse_json('{' '"566a334c-ea55-4a20-a1f2-cef81bfaxxxx": "MyLabel1",' '"aa1c4270-0694-4fe6-b220-8c7904b0xxxx": "MyLabel2",' '"MySensitivityLabelId": "MyLabel3"' '}'); MicrosoftPurviewInformationProtection | extend SensitivityLabelName = iif(isnotempty(SensitivityLabelId), tostring(labelsMap[tostring(SensitivityLabelId)]), "") | extend OldSensitivityLabelName = iif(isnotempty(OldSensitivityLabelId), tostring(labelsMap[tostring(OldSensitivityLabelId)]), "")
The
MicrosoftPurviewInformationProtection
table and theOfficeActivity
table might include some duplicated events.
Next steps
In this article, you learned how to set up the Microsoft Purview Information Protection connector to track, analyze, report on the data, and use it for compliance purposes. To learn more about Microsoft Sentinel, see the following articles:
- Learn how to get visibility into your data, and potential threats.
- Get started detecting threats with Microsoft Sentinel.
- Use workbooks to monitor your data.