Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
397 questions
Is content stored in Activity Explorer (Compliance Portal) in Log Analytics?
Shim Kwan
261
Reputation points
Hi,
Is content stored in Activity Explorer (Compliance Portal) in Log Analytics?
Because when I look at the above content, find a specific user and then try find it in the AIP Workspace, it is NOT there:
User is in the Activity Explorer report, with an activity on June 21.
User is not in the AIP Logs (looking 7 days back) - its June 23 today.
Please could someone clarify.
Thank you,
SK
{count} votes
-
Givary-MSFT 11,836 Reputation points Microsoft Employee
2022-06-23T07:33:06.597+00:00 Thank you for reaching out to us. In order to answer this query, would like to understand how did you onboard the Activity explorer logs to log analytics workspace ?
Are you seeing any data in InformationProtectionLogs_CL ( as per workspace usage report - workbook ) ?
Also wanted to check apart from the query you ran, did you try other queries ? Does it give results from InformationProtectionLogs_CL table ?
Let me know if you have any further questions, happy to help.
-
Shim Kwan 261 Reputation points
2022-06-26T23:24:53.64+00:00 Hi @Givary-MSFT
Not sure I understand your question "would like to understand how did you onboard the Activity explorer logs to log analytics workspace"
We simply went to the URL https://compliance/microsoft.com and the Data Classification / Activity Explorer item was there - we did not "onboard" anything extra, it was already there.
We just assumed that the AIP Activity Logs (Azure Portal) would have the same information as the Compliance Portal / Data Classification / Activity Explorer report - is that not the case?
Question: should we see the same data in AIP Activity Logs (Azure Portal) and Compliance Portal / Data Classification / Activity Explorer?
Thank you,
SK -
Shim Kwan 261 Reputation points
2022-06-27T03:56:14.17+00:00 to answer you other questions @Givary-MSFT :
- yes, the AIP Usage Report is showing data (but only until 21 June 2022, where it just suddenly stopped recording any more new records - have a separate question for this on these forums).
- Yes, we ran other queries - which do return data, but only until 21 June 2022 (as per above statement)
So there are 2 questions out of this now:
- why did AIP Activity Logs suddenly stop recording any new data (last entry 21 June 2022)
- should we see the same data in AIP Activity Logs (Azure Portal) and the Compliance Portal / Data Classification / Activity Explorer?
-
Givary-MSFT 11,836 Reputation points Microsoft Employee
2022-06-27T08:09:58.517+00:00 Reason I asked this question "would like to understand how did you onboard the Activity explorer logs to log analytics workspace" - In your question, you were referring to reviewing the AIP logs from Azure portal and comparing the same with Activity Explorer, also you running the KQL query to fetch data from InformationProtectionLogs_CL, you can see this table in log analytics workspace (LAW) only if you have onboarded the AIP events to LAW. From the above mentioned comments/replies, I understood you didnt ingest any AIP data to LAW, you are viewing this data from Activity Explorer only.
To answer this why did AIP Activity Logs suddenly stop recording any new data (last entry 21 June 2022) - I need information like tenant id/azure subscription id to check with my team internally on this, however it should not be of a concern why AIP logs in Azure portal shows different data than Activity Explorer, As you are aware we have retired the Azure Information Protection classic client and labeling management pages in the Azure portal as of March 31, 2022. we highly recommend that you use the Microsoft 365 compliance center's activity explorer for comprehensive logging. Activity explorer allows you to monitor what's being done with your labeled content.
-
Shim Kwan 261 Reputation points
2022-06-27T10:23:18.533+00:00 Hi @Givary-MSFT ,
Thank you - it could very well be that I'm not understanding something.
Let me try clarify some more.Based on my understanding, we are storing AIP and Sentinel data in the same LAW, and when I run this default query (which i'm sure you have seen before), it returns AIP results (pls see screenshot). (Cant insert the full query here as it exceeds the post 1600 char limit).
We have never used the Classic AIP client, we deployed AIP after 31 March 2022, and are 100% using the Unified Labeling AIP client.
Since AIP data appeared to be logging to both the AIP LAW (and visible in Azure AIP Portal) and the Microsoft 365 compliance center's activity explorer, I asked the question - should both locations be showing the same AIP logging information - are you able to answer this now? (hope my question makes sense now).
Also, what is Microsoft 365 compliance center's activity explorer - is that another Log Analytics Workspace?
Regarding the AIP logs suddenly stopping - should we even care about this at all? As I assume this is being deprecated in the near future.
If yes, I will log in internal Premier Call with MS.Look forward to hearing from you.
Thanks,
SK -
Givary-MSFT 11,836 Reputation points Microsoft Employee
2022-06-28T07:13:47.527+00:00 Thank you for detailed explanation on your query,
Since AIP data appeared to be logging to both the AIP LAW (and visible in Azure AIP Portal) and the Microsoft 365 compliance center's activity explorer, I asked the question - should both locations be showing the same AIP logging information -- No, AIP Activity logs ( preview ) and Activity Explorer will show different data, if you review the below articles, you will see more labelling actions are reported in Activity Explorer than AIP Activity logs, Also, As of March 1, 2022, we have sunset the AIP audit log and analytics, with a full retirement date of September 31, 2022.
https://learn.microsoft.com/en-us/previous-versions/azure/information-protection/audit-logs - AIP Activity logs (Preview)
https://learn.microsoft.com/en-us/microsoft-365/compliance/data-classification-activity-explorer-available-events?view=o365-worldwide - Activity Explorerwhat is Microsoft 365 compliance center's activity explorer - is that another Log Analytics Workspace? - No, its not a Log analytics workspace, it is just a portal, provides a historical view of activities on your labeled content. The activity information is collected from the Microsoft 365 unified audit logs, transformed, and made available in the Activity explorer UI. Activity explorer reports on up to 30 days worth of data.
-
Givary-MSFT 11,836 Reputation points Microsoft Employee
2022-06-28T07:14:41.517+00:00 Continuation to above comment/post:
Regarding the AIP logs suddenly stopping - should we even care about this at all? - Unless you are using data coming from AIP Activity logs (preview) in any of your queries/workbooks, you should not be bothered, as these logs are in maintenance mode and will be retried on 31st Sept 2022.
Hope this clarifies, let me know if you have any further questions, happy to have a call to discuss the same.
-
Shim Kwan 261 Reputation points
2022-06-28T22:22:02.827+00:00 Hi @Givary-MSFT
You have been MOST helpful, thank you !!
Since Microsoft 365 compliance center's activity explorer is not in Log Analytics, but rather a Portal, I have a few follow up questions:
- you mention data is only kept for 30 days - is there a way to extend this? how would one meet a legal obligation to keep data for 5 years, for example?
- Log analytics charges for log ingestion - so are there any $ charges with this Activity Explorer, or is all AIP data now free?
- a more technical question - how does AIP data from a desktop client running AIP UL client land up in the Activity Explorer Portal? is it via some HTTPS connection to a Graph API?
Thank you again!!
SK
Sign in to comment