question

ShimKwan-8714 avatar image
0 Votes"
ShimKwan-8714 asked ShimKwan-8714 edited

Retirement announcement for AIP Audit Logs pipeline forwarding audit logs to Azure Log Analytics

Hi,

As per recent announcement, "As of March 18, 2022, Microsoft is sunsetting the AIP audit log and analytics" https://docs.microsoft.com/en-us/azure/information-protection/audit-logs.

Please excuse my ignorance here, but should we therefore be able to see all locations in the Compliance Portal now, under Content Explorer/All Locations - as to this day we are still not seeing any of our on-premises file server locations (where most of our data resides, and the AIP Scanner has been active).

As can be seen from the screenshot below, only certain Cloud locations are showing in this console. (Exchange, OneDrive, SharePoint, Teams)

Where is all our on-premises AIP data statistics then? Or do we have to go back to the AIP Azure Portal again?

Thank you,

SK

190805-dataclass.png




azure-information-protection
dataclass.png (33.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Givary-MSFT avatar image
0 Votes"
Givary-MSFT answered Givary-MSFT edited

@ShimKwan-8714

Thank you for reaching out to us. As i understand you are looking more information on "Retirement announcement for AIP Audit Logs" where audit logs are visible.

Apart from Content explorer, you view the labelling activities in the activity explorer. Activity explorer gathers activity information from the audit logs on multiple sources of activities.

Following activity types for AIP scanner & AIP clients are seen in Activity explorer
Protection applied
Protection changed
Protection removed
Files discovered

For more information refer to this article about the labelling activities available in activity explorer
https://docs.microsoft.com/en-us/microsoft-365/compliance/data-classification-activity-explorer-available-events?view=o365-worldwide#:~:text=Labeling%20activities%20that%20are%20available%20in%20Activity%20explorer

Also i see you query related to storing AIP audit logs in Log analytics workspace.

Starting from March 18, 2022, onboarding new Log Analytics workspaces for storing AIP audit logs is not supported. For customers already using Azure Information Protection analytics, the existent data pipeline will be kept available until September 30, 2022. After this date, customers will not get any new AIP data through this pipeline into their Log Analytics workspaces.

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-365-compliance-audit-log-activities-via-o365/ba-p/2957171
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-365-compliance-audit-log-activities-via-o365/ba-p/2957297

Azure Information Protection (AIP) analytics for central reporting - https://docs.microsoft.com/en-us/azure/information-protection/reports-aip

Information about new releases and updates - Azure information protection
https://docs.microsoft.com/en-us/azure/information-protection/information-support#:~:text=the%20terminology%20page.-,Information%20about%20new%20releases%20and%20updates,-For%20information%20about

Let me know if you have any questions.

Please remember to "Accept Answer" if answer/reply helped, so that others in the community facing similar issues can easily find the solution.





5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ShimKwan-8714 avatar image
0 Votes"
ShimKwan-8714 answered ShimKwan-8714 edited

Hi @GirishVaryani

Thanks for those links and explanations...however, I am still unable to see any on-premises details in these logs, Content Explorer still only shows Cloud locations:
I am assuming with things moving as MS and you have mentioned, we should be able to see on-premises information in Content Explorer too?

197497-contentexplorer.png


Starting from March 18, 2022, onboarding new Log Analytics workspaces for storing AIP audit logs is not supported - so how will we now import AIP data into Sentinel?
197528-aip-sentinel.png



Thank you


contentexplorer.png (35.2 KiB)
aip-sentinel.png (63.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Givary-MSFT avatar image
0 Votes"
Givary-MSFT answered

@ShimKwan-8714

Apologies missed on the complete screenshot, you can view the labelling activities in the activity explorer. Activity explorer gathers activity information from the audit logs on multiple sources of activities.

Following activity types for AIP scanner & AIP clients are seen in Activity explorer
Protection applied
Protection changed
Protection removed
Files discovered

For more information refer to this article about the labelling activities available in activity explorer
https://docs.microsoft.com/en-us/microsoft-365/compliance/data-classification-activity-explorer-available-events?view=o365-worldwide#:~:text=Labeling%20activities%20that%20are%20available%20in%20Activity%20explorer

197784-image.png

Let me know if you have any further questions.



image.png (16.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ShimKwan-8714 avatar image
0 Votes"
ShimKwan-8714 answered ShimKwan-8714 edited

thank you your reply @GirishVaryani - happy to use Activity Explorer.

what about the other part of the question:

"Starting from March 18, 2022, onboarding new Log Analytics workspaces for storing AIP audit logs is not supported - so how will we now import AIP data into Sentinel?"

Thank you

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ShimKwan-8714

Apologies for the delayed response. As you are aware Ingesting AIP Audit logs to LAW is retired.

While MIP connector is in development and AIP Log Analytics ( new configuration ) is deprecated.

You can refer to this https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-365-compliance-audit-log-activities-via-o365/ba-p/2957297 on exporting the data to sentinel.

Till the time we get a proper connector for MIP to Sentinel.

There is a custom solution to have AIP/MIP logs into Sentinel
https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/O365%20Data

Refer to this link for updates/roadmap for AIP/MIP: https://www.microsoft.com/en-in/microsoft-365/roadmap?=&filters=In%20development&searchterms=microsoft%2Cinformation%2Cprotection

Please remember to Accept Answer if answer helped, so that others in the community facing similar issues can easily find the solution.


0 Votes 0 ·