Merge pull request #222722 from limwainstein/aip-mip-connector

PMEds28 · web-flow · commit 2fae1e9b33b0 · 2023-01-09T10:52:36.000Z
New Microsoft Purview connector
diff --git a/articles/sentinel/TOC.yml b/articles/sentinel/TOC.yml
@@ -266,6 +266,8 @@
         href: connect-dns-ama.md
       - name: Syslog (raw) sources
         href: connect-syslog.md
+      - name: Microsoft Purview Information Protection
+        href: connect-microsoft-purview.md
       - name: Microsoft Sentinel Data Collector API
         href: connect-rest-api-template.md
       - name: Azure Functions API connection
@@ -579,6 +581,8 @@
       href: windows-security-event-id-reference.md
     - name: DNS over AMA reference
       href: dns-ama-fields.md
+    - name: Microsoft Purview Information Protection reference
+      href: microsoft-purview-record-types-activities.md
     - name: Microsoft 365 Defender connector data type support
       href: microsoft-365-defender-cloud-support.md
   - name: Detection and analysis references
diff --git a/articles/sentinel/connect-microsoft-purview.md b/articles/sentinel/connect-microsoft-purview.md
@@ -0,0 +1,108 @@
+---
+title: Stream data from Microsoft Purview Information Protection to Microsoft Sentinel 
+description: Stream data from Microsoft Purview Information Protection (formerly Microsoft Information Protection) to Microsoft Sentinel so you can analyze and report on data from the Microsoft Purview labeling clients and scanners.
+author: limwainstein
+ms.topic: how-to
+ms.date: 01/02/2023
+ms.author: lwainstein
+#Customer intent: As a security operator, I want to get specific labeling data from Microsoft Purview, so I can track, analyze, report on the data and use it for compliance purposes.
+---
+
+# Stream data from Microsoft Purview Information Protection to Microsoft Sentinel
+
+This article describes how to stream data from Microsoft Purview Information Protection (formerly Microsoft Information Protection or MIP) to Microsoft Sentinel. You can use the data ingested from the Microsoft Purview labeling clients and scanners to track, analyze, report on the data, and use it for compliance purposes. 
+
+> [!IMPORTANT]
+> The Microsoft Purview Information Protection connector is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.   
+
+## Overview 
+
+Auditing and reporting are an important part of organizations' security and compliance strategy. With the continued expansion of the technology landscape that has an ever-increasing number of systems, endpoints, operations, and regulations, it becomes even more important to have a comprehensive logging and reporting solution in place.
+
+With the Microsoft Purview Information Protection connector, you stream auditing events generated from unified labeling clients and scanners. The data is then emitted to the Microsoft 365 audit log for central reporting in Microsoft Sentinel.
+ 
+With the connector, you can:
+
+- Track adoption of labels, explore, query, and detect events.
+- Monitor labeled and protected documents and emails. 
+- Monitor user access to labeled documents and emails, while tracking classification changes. 
+- Gain visibility into activities performed on labels, policies, configurations, files and documents. This visibility helps security teams identify security breaches, and risk and compliance violations.
+- Use the connector data during an audit, to prove that the organization is compliant.
+
+### Azure Information Protection connector vs. Microsoft Purview Information Protection connector
+
+This connector replaces the Azure Information Protection (AIP) data connector. The Azure Information Protection (AIP) data connector uses the AIP audit logs (public preview) feature. As of **March 31, 2023**, the AIP analytics and audit logs public preview will be retired, and moving forward will be using the [Microsoft 365 auditing solution](/microsoft-365/compliance/auditing-solutions-overview).
+
+For more information: 
+- See [Removed and retired services](/azure/information-protection/removed-sunset-services#azure-information-protection-analytics).
+- Learn how to [disconnect the AIP connector](#disconnect-the-azure-information-protection-connector).
+
+When you enable the Microsoft Purview Information Protection connector, audit logs stream into the standardized 
+`MicrosoftPurviewInformationProtection` table. Data is gathered through the [Office Management API](/office/office-365-management-api/office-365-management-activity-api-schema), which uses a structured schema. The new standardized schema is adjusted to enhance the deprecated schema used by AIP, with more fields and easier access to parameters.
+
+Review the list of supported [audit log record types and activities](microsoft-purview-record-types-activities.md).
+
+## Prerequisites
+
+Before you begin, verify that you have:
+
+- The Microsoft Sentinel solution enabled. 
+- A defined Microsoft Sentinel workspace.
+- A valid license to [Microsoft Purview Information Protection](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance).
+- [Enabled Sensitivity labels for Office](/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files?view=o365-worldwide#use-the-microsoft-purview-compliance-portal-to-enable-support-for-sensitivity-labels&preserve-view=true) and [enabled auditing](/microsoft-365/compliance/turn-audit-log-search-on-or-off?view=o365-worldwide#use-the-compliance-center-to-turn-on-auditing&preserve-view=true).
+- The Global Administrator or Security Administrator role on the workspace.
+
+## Set up the connector
+
+> [!NOTE]
+> If you set the connector on a workspace located in a different region than your Office 365 location, data might be streamed across regions.
+
+1. Open the [Azure portal](https://portal.azure.com/) and navigate to the **Microsoft Sentinel** service.
+1. In the **Data connectors** blade, in the search bar, type *Purview*.
+1. Select the **Microsoft Purview Information Protection (Preview)** connector.
+1. Below the connector description, select **Open connector page**.
+1. Under **Configuration**, select **Connect**.
+
+    When a connection is established, the **Connect** button changes to **Disconnect**. You're now connected to the Microsoft Purview Information Protection. 
+
+Review the list of supported [audit log record types and activities](microsoft-purview-record-types-activities.md). 
+
+## Disconnect the Azure Information Protection connector
+
+We recommend using the Azure Information Protection connector and the Microsoft Purview Information Protection connector simultaneously (both enabled) for a short testing period. After the testing period, we recommend that you disconnect the Azure Information Protection connector to avoid data duplication and redundant costs. 
+
+To disconnect the Azure Information Protection connector:
+
+1. In the **Data connectors** blade, in the search bar, type *Azure Information Protection*. 
+1. Select **Azure Information Protection**.
+1. Below the connector description, select **Open connector page**.
+1. Under **Configuration**, select **Disconnect**.
+
+## Known Issues And Limitations
+
+- The Office Management API doesn't obtain a Downgrade Label with the names of the labels before and after the downgrade. To retrieve this information, extract the `labelId` of each label and enrich the results. 
+
+    Here's an example KQL query:
+
+    ```kusto
+    let labelsMap = parse_json('{'
+     '"566a334c-ea55-4a20-a1f2-cef81bfaxxxx": "MyLabel1",'
+     '"aa1c4270-0694-4fe6-b220-8c7904b0xxxx": "MyLabel2",'
+     '"MySensitivityLabelId": "MyLabel3"'
+     '}');
+     MicrosoftPurviewInformationProtection
+     | extend SensitivityLabelName = iif(isnotempty(SensitivityLabelId), 
+    tostring(labelsMap[tostring(SensitivityLabelId)]), "")
+     | extend OldSensitivityLabelName = iif(isnotempty(OldSensitivityLabelId), 
+    tostring(labelsMap[tostring(OldSensitivityLabelId)]), "")
+    ```
+ 
+- The `MicrosoftPurviewInformationProtection` table and the `OfficeActivity` table might include some duplicated events.
+ 
+## Next steps
+
+In this article, you learned how to set up the Microsoft Purview Information Protection connector to track, analyze, report on the data, and use it for compliance purposes. To learn more about Microsoft Sentinel, see the following articles:
+
+- Learn how to [get visibility into your data, and potential threats](get-visibility.md).
+- Get started [detecting threats with Microsoft Sentinel](detect-threats-built-in.md).
+- [Use workbooks](monitor-your-data.md) to monitor your data.
diff --git a/articles/sentinel/data-connectors-reference.md b/articles/sentinel/data-connectors-reference.md
@@ -367,20 +367,21 @@ See [Microsoft Defender for Cloud](#microsoft-defender-for-cloud).
 
 ## Azure Information Protection (Preview)
 
+> [!NOTE]
+> The Azure Information Protection (AIP) data connector uses the AIP audit logs (public preview) feature. As of **March 31, 2023**, the AIP analytics and audit logs public preview will be retired, and moving forward will be using the [Microsoft 365 auditing solution](/microsoft-365/compliance/auditing-solutions-overview).
+>
+> For more information, see [Removed and retired services](/azure/information-protection/removed-sunset-services#azure-information-protection-analytics).
+>
+
+See the [Microsoft Purview Information Protection](#microsoft-purview-information-protection-preview) connector, which will replace this connector.
+
 | Connector attribute | Description |
 | --- | --- |
 | **Data ingestion method** | [**Azure service-to-service integration**](connect-azure-windows-microsoft-services.md) |
 | **Log Analytics table(s)** | InformationProtectionLogs_CL |
 | **DCR support** | Not currently supported |
 | **Supported by** | Microsoft |
 
-
-> [!NOTE]
-> The Azure Information Protection (AIP) data connector uses the AIP audit logs (public preview) feature. As of **March 18, 2022**, we are sunsetting the AIP analytics and audit logs public preview, and moving forward will be using the [Microsoft 365 auditing solution](/microsoft-365/compliance/auditing-solutions-overview). Full retirement is scheduled for **September 30, 2022**.
->
-> For more information, see [Removed and retired services](/azure/information-protection/removed-sunset-services#azure-information-protection-analytics).
->
-
 ## Azure Key Vault
 
 | Connector attribute | Description |
@@ -1230,6 +1231,14 @@ Add http://localhost:8081/ under **Authorized redirect URIs** while creating [We
 | **Log Analytics table(s)** | ProjectActivity |
 | **Supported by** | Microsoft |
 
+## Microsoft Purview Information Protection (Preview)
+| Connector attribute | Description |
+| --- | --- |
+| **Data ingestion method** | **Azure service-to-service integration: <br>[API-based connections](connect-microsoft-purview.md)** |
+| **License prerequisites/<br>Cost information** | Your Office 365 deployment must be on the same tenant as your Microsoft Sentinel workspace.<br>Other charges may apply. |
+| **Log Analytics table(s)** | MicrosoftPurviewInformationProtection |
+| **Supported by** | Microsoft |
+
 
 ## Microsoft Sysmon for Linux (Preview)
 
diff --git a/articles/sentinel/microsoft-purview-record-types-activities.md b/articles/sentinel/microsoft-purview-record-types-activities.md
@@ -0,0 +1,58 @@
+---
+title: Microsoft Purview Information Protection connector reference - audit log record types and activities support in Microsoft Sentinel
+description: This article lists supported audit log record types and activities when using the Microsoft Purview Information Protection connector with Microsoft Sentinel.
+author: limwainstein
+ms.author: lwainstein
+ms.topic: reference
+ms.date: 01/02/2023
+---
+
+# Microsoft Purview Information Protection connector reference - audit log record types and activities support
+
+This article lists supported audit log record types and activities when using the Microsoft Purview Information Protection connector with Microsoft Sentinel.
+
+When you use the [Microsoft Purview Information Protection connector](connect-microsoft-purview.md), you stream audit logs into the  
+`MicrosoftPurviewInformationProtection` standardized table. Data is 
+gathered through the [Office Management API](/office/office-365-management-api/office-365-management-activity-api-schema), which uses a structured schema. 
+
+## Supported audit log record types
+
+
+|Value  |Member |Name  |Description  |Operations |
+|---------|---------|---------|---------|---------|
+|93 |`AipDiscover` |Microsoft Purview scanner events. |Describes the type of access. |
+|94 |`AipSensitivityLabelAction` |Microsoft Purview sensitivity label event. |The operation type for the audit log. The name of the user or admin activity for a description of the most common operations: <ul><li>`SensitivityLabelApplied`</li><li>`SensitivityLabelUpdated`</li><li>`SensitivityLabelRemoved`</li><li>`SensitivityLabelPolicyMatched`</li><li>`SensitivityLabeledFileOpened`</li></ul> |
+|95 |`AipProtectionAction` |Microsoft Purview protection events. |Contains information related to Microsoft Purview protection events. |
+|96 |`AipFileDeleted` | Microsoft Purview file deletion event. |Contains information related to Microsoft Purview file deletion events. |
+|97 |`AipHeartBeat` |Microsoft Purview heartbeat event. |The operation type for the audit log. The name of the user or admin activity for a description of the most common operations or activities:<ul><li>`SensitivityLabelApplied`</li>`SensitivityLabelUpdated`</li><li>`SensitivityLabelRemoved`</li><li>`SensitivityLabelPolicyMatched`</li><li>`SensitivityLabeledFileOpened`</li> |
+|43 |`MipLabel` | Events detected in the transport pipeline of email messages that are tagged (manually or automatically) with sensitivity labels. | |
+|82 |`SensitivityLabelPolicyMatch` |Events generated when a file labeled with a sensitive label is opened or renamed. |
+|83 |`SensitivityLabelAction` |Event generated when sensitivity labels are applied, updated or removed. | |
+|84 |`SensitivityLabeledFileAction` | Events generated when a file labeled with a sensitivity label is opened or renamed. | |
+|71 |`MipAutoLabelSharePointItem` |Auto-labeling events in SharePoint | |
+|72 |`MipAutoLabelSharePointPolicyLocation` |Auto-labeling policy events in SharePoint. | |
+|75 |`MipAutoLabelExchangeItem` |Auto-labeling events in Microsoft Exchange. | |
+
+
+## Supported activities
+
+|Friendly name |Operation |Description |
+|---------|---------|---------| 
+|Applied sensitivity label to file |`FileSensitivityLabelApplied` |A sensitivity label was applied to a document via Microsoft 365 apps, Office on the web, or an auto-labeling policy. |
+|Changed sensitivity label applied to file |`FileSensitivityLabelChanged` |A different sensitivity label was applied to a document. An Office on the web or an auto-labeling policy changed. |
+|Removed sensitivity label from file |`FileSensitivityLabelRemoved` |A sensitivity label was removed from a document via Microsoft 365 apps, Office on the web, an auto-labeling policy, or the [Unlock-SPOSensitivityLabelEncryptedFile](/powershell/module/sharepoint-online/unlock-sposensitivitylabelencryptedFile) cmdlet. |
+|Applied sensitivity label to site |`SensitivityLabelApplied` | A sensitivity label was applied to a SharePoint or Teams site. |
+|Changed sensitivity label applied to file |`SensitivityLabelUpdated` |A different sensitivity label was applied to a document. |
+|Removed sensitivity label from site |`SensitivityLabelRemoved` |A sensitivity label was removed from a SharePoint or Teams site. |
+| |`SiteSensitivityLabelApplied` |A sensitivity label was applied to a SharePoint or Teams site. |
+|Changed sensitivity label on a site |`SensitivityLabelChanged` |A different sensitivity label was applied to a SharePoint or Teams site. |
+|Removed sensitivity label from site |`SiteSensitivityLabelRemoved` |A sensitivity label was removed from a SharePoint or Teams site. |
+|Document |`DocumentSensitivityMismatchDetected` |Non auditable activity. Signals to Substrate that the item was removed from the SharedWithMe view. This is the same as the `RemovedFromSharedWithMe` operation, but without audit. |
+
+## Next steps
+
+In this article, you learned about the audit log record types and activities supported when you use the Microsoft Purview Information Protection connector. To learn more about Microsoft Sentinel, see the following articles:
+
+- Learn how to [get visibility into your data, and potential threats](get-visibility.md).
+- Get started [detecting threats with Microsoft Sentinel](detect-threats-built-in.md).
+- [Use workbooks](monitor-your-data.md) to monitor your data.
diff --git a/articles/sentinel/whats-new.md b/articles/sentinel/whats-new.md
@@ -16,6 +16,17 @@ The listed features were released in the last three months. For information abou
 
 [!INCLUDE [reference-to-feature-availability](includes/reference-to-feature-availability.md)]
 
+## January 2023
+
+### Microsoft Purview Information Protection connector (Preview)
+
+With the new [Microsoft Purview Information Protection connector](connect-microsoft-purview.md), you can stream data from Microsoft Purview Information Protection (formerly Microsoft Information Protection or MIP) to Microsoft Sentinel. You can use the data ingested from the Microsoft Purview labeling clients and scanners to track, analyze, report on the data, and use it for compliance purposes.
+
+This connector replaces the Azure Information Protection (AIP) data connector, aligned with the retirement of the AIP analytics and audit logs public preview as of **March 31, 2023**.
+
+The new connector streams audit logs into the standardized 
+`MicrosoftPurviewInformationProtection` table, which has been adjusted to enhance the deprecated schema used by AIP, with more fields and easier access to parameters. Data is gathered through the [Office Management API](/office/office-365-management-api/office-365-management-activity-api-schema), which uses a structured schema. Review the list of supported [audit log record types and activities](microsoft-purview-record-types-activities.md).
+
 ## December 2022
 
 - [Create and run playbooks on entities on-demand (Preview)](#create-and-run-playbooks-on-entities-on-demand-preview)
