You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/connect-azure-information-protection.md
+27-16Lines changed: 27 additions & 16 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,9 +3,8 @@ title: Connecting Azure Information Protection data to Azure Sentinel Preview| M
3
3
description: Learn how to connect Azure Information Protection data in Azure Sentinel.
4
4
services: sentinel
5
5
documentationcenter: na
6
-
author: rkarlin
6
+
author: cabailey
7
7
manager: rkarlin
8
-
editor: ''
9
8
10
9
ms.assetid: bfa2eca4-abdc-49ce-b11a-0ee229770cdd
11
10
ms.service: azure-sentinel
@@ -14,8 +13,8 @@ ms.devlang: na
14
13
ms.topic: conceptual
15
14
ms.tgt_pltfrm: na
16
15
ms.workload: na
17
-
ms.date: 04/07/2019
18
-
ms.author: rkarlin
16
+
ms.date: 09/15/2019
17
+
ms.author: cabailey
19
18
20
19
---
21
20
# Connect data from Azure Information Protection
@@ -25,34 +24,46 @@ ms.author: rkarlin
25
24
> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
26
25
> For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
27
26
28
-
You can stream logs from [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/reports-aip) into Azure Sentinel with a single click. Azure Information Protection helps protect your data whether it’s stored in the cloud or in on-premises infrastructures and control and help secure email, documents, and sensitive data that you share outside your company. From easy classification to embedded labels and permissions, enhance data protection at all times with Azure Information Protection. When you connect Azure Information Protection to Azure Sentinel, you stream all the alerts from Azure Information Protection into Azure Sentinel.
27
+
You can stream logging information from [Azure Information Protection](https://azure.microsoft.com/services/information-protection/) into Azure Sentinel by configuring the Azure Information Protection data connector. Azure Information Protection helps you control and secure your sensitive data, whether it’s stored in the cloud or on-premises.
29
28
29
+
If [central reporting for Azure Information Protection](https://docs.microsoft.com/azure/information-protection/reports-aip) is already configured so that logging information from this service is stored in the same Log Analytics workspace as you've currently selected for Azure Sentinel, you can skip the configuration of this data connector. The logging information from Azure Information Protection is already available to Azure Sentinel.
30
30
31
-
## Prerequisites
31
+
However, if logging information from Azure Information Protection is going to a different Log Analytics workspace than the one you've currently selected for Azure Sentinel, do one of the following:
32
32
33
-
-User with global administrator, security administrator, or information protection permissions
33
+
-Change the workspace selected in Azure Sentinel.
34
34
35
+
- Change the workspace for Azure Information Protection, which you can do by configuring this data connector.
36
+
37
+
If you change the workspace, new reporting data for Azure Information Protection will now be stored in the workspace you're using for Azure Sentinel, and historical data isn't available to Azure Sentinel. In addition, if the previous workspace is configured for custom queries, alerts, or REST APIs, these must be reconfigured for the Azure Sentinel workspace if you want to carry on using them for Azure Information Protection. No reconfiguration is needed for clients and services that use Azure Information Protection.
35
38
36
-
## Connect to Azure Information Protection
39
+
## Prerequisites
37
40
38
-
If you already have Azure Information Protection, make sure it is [enabled on your network](https://docs.microsoft.com/azure/information-protection/activate-service).
39
-
If Azure Information Protection is deployed and getting data, the alert data can easily be streamed into Azure Sentinel.
41
+
- One of the following Azure AD administrator roles for your tenant: Azure Information Protection administrator, Security administrator, or Global administrator.
42
+
43
+
> [!NOTE]
44
+
> You cannot use the Azure Information Protection administrator role if your tenant is on the [unified labeling platform](https://docs.microsoft.com/azure/information-protection/faqs#how-can-i-determine-if-my-tenant-is-on-the-unified-labeling-platform).
40
45
46
+
- Permissions to read and write to the Log Analytics workspace you're using for Sentinel and Azure Information Protection.
41
47
42
-
1. In Azure Sentinel, select **Data connectors** and then click the **Azure Information Protection** tile.
48
+
- Azure Information Protection has been added to the Azure portal. If you need help with this step, see [Add Azure Information Protection to the Azure portal](https://docs.microsoft.com/azure/information-protection/quickstart-viewpolicy#add-azure-information-protection-to-the-azure-portal).
43
49
44
-
2. Go to the [Azure Information Protection portal](https://portal.azure.com/?ScannerConfiguration=true&EndpointDiscovery=true#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/quickstartBlade)
50
+
## Connect to Azure Information Protection
45
51
46
-
3. Under **Connection**, set up streaming of logs from Azure Information Protectionto Azure Sentinel by clicking [Configure analytics](https://portal.azure.com/#blade/Microsoft_Azure_InformationProtection/DataClassGroupEditBlade/analyticsOnboardBlade)
52
+
Use the following instructions if you haven't configured a Log Analytics workspace for Azure Information Protection, or you need to change the workspace that stores the Azure Information Protection logging information.
47
53
48
-
4. Select the workspace into which you deployed Azure Sentinel.
54
+
1. In Azure Sentinel, select **Data connectors**, and then **Azure Information Protection**.
49
55
50
-
5. Click **OK**.
56
+
2. On the **Azure Information Protection** blade, select **Open connector page**.
51
57
52
-
6. To use the relevant schema in Log Analytics for the Azure Information Protection alerts, search for**InformationProtectionLogs_CL**.
58
+
3. On the next blade, in the **Configuration** section, select **Azure Information Protection** to go to**Azure Information Protection analytics**.
53
59
60
+
4. From the list of available workspaces, select the workspace that you're currently using for Azure Sentinel. If you select a different workspace, the reporting data from Azure Information Protection won't be available to Azure Sentinel.
54
61
62
+
5. When you have selected a workspace, select **OK** and the connector **STATUS** should now change to **Connected**.
55
63
64
+
6. The reporting data from Azure Information Protection is stored in the **InformationProtectionLogs_CL** table within the selected workspace.
65
+
66
+
To use the relevant schema in Azure Monitor for this reporting data, search for **InformationProtectionEvents**. For information about these event functions, see the [Friendly schema reference for event functions](https://docs.microsoft.com/azure/information-protection/reports-aip#friendly-schema-reference-for-event-functions) section from the Azure Information Protection documentation.
56
67
57
68
## Next steps
58
69
In this document, you learned how to connect Azure Information Protection to Azure Sentinel. To learn more about Azure Sentinel, see the following articles:
0 commit comments