How to collect Windows Information Protection (WIP) audit event logs

Applies to:

• Windows 10, version 1607 and later

Windows Information Protection (WIP) creates audit events in the following situations:

• If an employee changes the File ownership for a file from Work to Personal.

• If data is marked as Work, but shared to a personal app or webpage. For example, through copying and pasting, dragging and dropping, sharing a contact, uploading to a personal webpage, or if the user grants a personal app provides temporary access to a work file.

• If an app has custom audit events.

Collect WIP audit logs by using the Reporting configuration service provider (CSP)

Collect the WIP audit logs from your employee's devices by following the guidance provided by the Reporting configuration service provider (CSP) documentation. This topic provides info about the actual audit events.

Note

The Data element in the response includes the requested audit logs in an XML-encoded format.

User element and attributes

This table includes all available attributes for the User element.

Attribute	Value type	Description
UserID	String	The security identifier (SID) of the user corresponding to this audit report.
EnterpriseID	String	The enterprise ID corresponding to this audit report.

Log element and attributes

This table includes all available attributes/elements for the Log element. The response can contain zero (0) or more Log elements.

Attribute/Element	Value type	Description
ProviderType	String	This is always EDPAudit.
LogType	String	Includes: DataCopied. Work data is copied or shared to a personal location. ProtectionRemoved. Windows Information Protection is removed from a Work-defined file. ApplicationGenerated. A custom audit log provided by an app.
TimeStamp	Int	Uses the FILETIME structure to represent the time that the event happened.
Policy	String	How the work data was shared to the personal location: CopyPaste. Work data was pasted into a personal location or app. ProtectionRemoved. Work data was changed to be unprotected. DragDrop. Work data was dropped into a personal location or app. Share. Work data was shared with a personal location or app. NULL. Any other way work data could be made personal beyond the options above. For example, when a work file is opened using a personal application (also known as, temporary access).
Justification	String	Not implemented. This will always be either blank or NULL. Note Reserved for future use to collect the user justification for changing from Work to Personal.
Object	String	A description of the shared work data. For example, if an employee opens a work file by using a personal app, this would be the file path.
DataInfo	String	Any additional info about how the work file changed: A file path. If an employee uploads a work file to a personal website by using Microsoft Edge or Internet Explorer, the file path is included here. Clipboard data types. If an employee pastes work data into a personal app, the list of clipboard data types provided by the work app are included here. For more info, see the Examples section of this topic.
Action	Int	Provides info about what happened when the work data was shared to personal, including: 1. File decrypt. 2. Copy to location. 3. Send to recipient. 4. Other.
FilePath	String	The file path to the file specified in the audit event. For example, the location of a file that's been decrypted by an employee or uploaded to a personal website.
SourceApplicationName	String	The source app or website. For the source app, this is the AppLocker identity. For the source website, this is the hostname.
SourceName	String	A string provided by the app that's logging the event. It's intended to describe the source of the work data.
DestinationEnterpriseID	String	The enterprise ID value for the app or website where the employee is sharing the data. NULL, Personal, or blank means there's no enterprise ID because the work data was shared to a personal location. Because we don't currently support multiple enrollments, you'll always see one of these values.
DestinationApplicationName	String	The destination app or website. For the destination app, this is the AppLocker identity. For the destination website, this is the hostname.
DestinationName	String	A string provided by the app that's logging the event. It's intended to describe the destination of the work data.
Application	String	The AppLocker identity for the app where the audit event happened.

Examples

Here are a few examples of responses from the Reporting CSP.

File ownership on a file is changed from work to personal

<SyncML><SyncHdr/><SyncBody><Status><CmdID>1</CmdID><MsgRef>1</MsgRef><CmdRef>0</CmdRef><Cmd>SyncHdr</Cmd><Data>200</Data></Status><Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>2</CmdRef><Cmd>Replace</Cmd><Data>200</Data></Status><Status><CmdID>3</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Cmd>Get</Cmd><Data>200</Data></Status><Results><CmdID>4</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Item><Source><LocURI>./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logs</LocURI></Source><Meta><Format xmlns="syncml:metinf">xml</Format></Meta><Data><?xml version="1.0" encoding="utf-8"?>
<Reporting Version="com.contoso/2.0/MDM/Reporting">
  <User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com">
    <Log ProviderType="EDPAudit" LogType="ProtectionRemoved" TimeStamp="131357166318347527">
      <Policy>Protection removed</Policy>
      <Justification>NULL</Justification>
      <FilePath>C:\Users\TestUser\Desktop\tmp\demo\Work document.docx</FilePath>
    </Log>
  </User>
</Reporting></Data></Item></Results><Final/></SyncBody></SyncML>

A work file is uploaded to a personal webpage in Edge

<SyncML><SyncHdr/><SyncBody><Status><CmdID>1</CmdID><MsgRef>1</MsgRef><CmdRef>0</CmdRef><Cmd>SyncHdr</Cmd><Data>200</Data></Status><Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>2</CmdRef><Cmd>Replace</Cmd><Data>200</Data></Status><Status><CmdID>3</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Cmd>Get</Cmd><Data>200</Data></Status><Results><CmdID>4</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Item><Source><LocURI>./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logs</LocURI></Source><Meta><Format xmlns="syncml:metinf">xml</Format></Meta><Data><?xml version="1.0" encoding="utf-8"?>
<Reporting Version="com.contoso/2.0/MDM/Reporting">
  <User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com">
    <Log ProviderType="EDPAudit" LogType="DataCopied" TimeStamp="131357192409318534">
      <Policy>CopyPaste</Policy>
      <Justification>NULL</Justification>
      <SourceApplicationName>NULL</SourceApplicationName>
      <DestinationEnterpriseID>NULL</DestinationEnterpriseID>
      <DestinationApplicationName>mail.contoso.com</DestinationApplicationName>
      <DataInfo>C:\Users\TestUser\Desktop\tmp\demo\Work document.docx</DataInfo>
    </Log>
  </User>
</Reporting></Data></Item></Results><Final/></SyncBody></SyncML>

Work data is pasted into a personal webpage

<SyncML><SyncHdr/><SyncBody><Status><CmdID>1</CmdID><MsgRef>1</MsgRef><CmdRef>0</CmdRef><Cmd>SyncHdr</Cmd><Data>200</Data></Status><Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>2</CmdRef><Cmd>Replace</Cmd><Data>200</Data></Status><Status><CmdID>3</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Cmd>Get</Cmd><Data>200</Data></Status><Results><CmdID>4</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Item><Source><LocURI>./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logs</LocURI></Source><Meta><Format xmlns="syncml:metinf">xml</Format></Meta><Data><?xml version="1.0" encoding="utf-8"?>
<Reporting Version="com.contoso/2.0/MDM/Reporting">
  <User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com">
    <Log ProviderType="EDPAudit" LogType="DataCopied" TimeStamp="131357193734179782">
      <Policy>CopyPaste</Policy>
      <Justification>NULL</Justification>
      <SourceApplicationName>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT OFFICE 2016\WINWORD.EXE\16.0.8027.1000</SourceApplicationName>
      <DestinationEnterpriseID>NULL</DestinationEnterpriseID>
      <DestinationApplicationName>mail.contoso.com</DestinationApplicationName>
      <DataInfo>EnterpriseDataProtectionId|Object Descriptor|Rich Text Format|HTML Format|AnsiText|Text|EnhancedMetafile|Embed Source|Link Source|Link Source Descriptor|ObjectLink|Hyperlink</DataInfo>
    </Log>
  </User>
</Reporting></Data></Item></Results><Final/></SyncBody></SyncML>

A work file is opened with a personal application

<SyncML><SyncHdr/><SyncBody><Status><CmdID>1</CmdID><MsgRef>1</MsgRef><CmdRef>0</CmdRef><Cmd>SyncHdr</Cmd><Data>200</Data></Status><Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>2</CmdRef><Cmd>Replace</Cmd><Data>200</Data></Status><Status><CmdID>3</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Cmd>Get</Cmd><Data>200</Data></Status><Results><CmdID>4</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Item><Source><LocURI>./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logs</LocURI></Source><Meta><Format xmlns="syncml:metinf">xml</Format></Meta><Data><?xml version="1.0" encoding="utf-8"?>
<Reporting Version="com.contoso/2.0/MDM/Reporting">
  <User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com">
    <Log ProviderType="EDPAudit" LogType="ApplicationGenerated" TimeStamp="131357194991209469">
      <Policy>NULL</Policy>
      <Justification></Justification>
      <Object>C:\Users\TestUser\Desktop\tmp\demo\Work document.docx</Object>
      <Action>1</Action>
      <SourceName>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT&reg; WINDOWS&reg; OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2</SourceName>
      <DestinationEnterpriseID>Personal</DestinationEnterpriseID>
      <DestinationName>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT&reg; WINDOWS&reg; OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2</DestinationName>
      <Application>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT&reg; WINDOWS&reg; OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2</Application>
    </Log>
  </User>
</Reporting></Data></Item></Results><Final/></SyncBody></SyncML>

Work data is pasted into a personal application

<SyncML><SyncHdr/><SyncBody><Status><CmdID>1</CmdID><MsgRef>1</MsgRef><CmdRef>0</CmdRef><Cmd>SyncHdr</Cmd><Data>200</Data></Status><Status><CmdID>2</CmdID><MsgRef>1</MsgRef><CmdRef>2</CmdRef><Cmd>Replace</Cmd><Data>200</Data></Status><Status><CmdID>3</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Cmd>Get</Cmd><Data>200</Data></Status><Results><CmdID>4</CmdID><MsgRef>1</MsgRef><CmdRef>4</CmdRef><Item><Source><LocURI>./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logs</LocURI></Source><Meta><Format xmlns="syncml:metinf">xml</Format></Meta><Data><?xml version="1.0" encoding="utf-8"?>
<Reporting Version="com.contoso/2.0/MDM/Reporting">
  <User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com">
    <Log ProviderType="EDPAudit" LogType="DataCopied" TimeStamp="131357196076537270">
      <Policy>CopyPaste</Policy>
      <Justification>NULL</Justification>
      <SourceApplicationName>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT OFFICE 2016\WINWORD.EXE\16.0.8027.1000</SourceApplicationName>
      <DestinationEnterpriseID>NULL</DestinationEnterpriseID>
      <DestinationApplicationName></DestinationApplicationName>
      <DataInfo>EnterpriseDataProtectionId|Object Descriptor|Rich Text Format|HTML Format|AnsiText|Text|EnhancedMetafile|Embed Source|Link Source|Link Source Descriptor|ObjectLink|Hyperlink</DataInfo>
    </Log>
  </User>
</Reporting></Data></Item></Results><Final/></SyncBody></SyncML>

Collect WIP audit logs by using Windows Event Forwarding (for Windows desktop domain-joined devices only)

Use Windows Event Forwarding to collect and aggregate your Windows Information Protection audit events. You can view your audit events in the Event Viewer.

To view the WIP events in the Event Viewer

1. Open Event Viewer.

2. In the console tree under Application and Services Logs\Microsoft\Windows, click EDP-Audit-Regular and EDP-Audit-TCB.

Collect WIP audit logs using Azure Monitor

You can collect audit logs using Azure Monitor. See Windows event log data sources in Azure Monitor.

To view the WIP events in Azure Monitor

1. Use an existing or create a new Log Analytics workspace.

2. In Log Analytics > Advanced Settings, select Data. In Windows Event Logs, add logs to receive:

   Microsoft-Windows-EDP-Application-Learning/Admin
   Microsoft-Windows-EDP-Audit-TCB/Admin
   

   Note

   If using Windows Events Logs, the event log names can be found under Properties of the event in the Events folder (Application and Services Logs\Microsoft\Windows, click EDP-Audit-Regular and EDP-Audit-TCB).

3. Download Microsoft Monitoring Agent.

4. To get MSI for Intune installation as stated in the Azure Monitor article, extract: MMASetup-.exe /c /t:

   Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary key. More information on Workspace ID and Primary key can be found in Log Analytics > Advanced Settings.

5. To deploy MSI via Intune, in installation parameters add: /q /norestart NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID=<WORKSPACE_ID> OPINSIGHTS_WORKSPACE_KEY=<WORKSPACE_KEY> AcceptEndUserLicenseAgreement=1

   Note

   Replace <WORKSPACE_ID> & <WORKSPACE_KEY> received from step 5. In installation parameters, don't place <WORKSPACE_ID> & <WORKSPACE_KEY> in quotes ("" or '').

6. After the agent is deployed, data will be received within approximately 10 minutes.

7. To search for logs, go to Log Analytics workspace > Logs, and type Event in search.

   Example

   Event | where EventLog == "Microsoft-Windows-EDP-Audit-TCB/Admin"
   

Additional resources

• How to deploy app via Intune
• How to create Log workspace
• How to use Microsoft Monitoring Agents for Windows