Blog Post

Security, Compliance, and Identity Blog
4 MIN READ

Announcing the Public Preview of features in Microsoft Information Protection unified analytics

Bhavanesh Rengarajan's avatar
Mar 02, 2021

Microsoft Information Protection (MIP) is a built-in, intelligent, unified, and extensible solution to know your data, protect your data and prevent data loss across an enterprise – in Microsoft 365 cloud services, on-premises, third-party SaaS applications, and more.

 

Microsoft’s unified analytics solution provides a simple and unified approach to protecting sensitive information from risky or inappropriate sharing, transfer or use. In this release, Analytics supports the customers with the ability to view the below activities within Microsoft 365 Activity Explorer and audit.

 

This public preview will showcase the below capabilities:

 

  • Sensitivity labeling events from office native (Word, Excel, PowerPoint, Outlook) is available in M365 Audit and Activity explorer. You can view the label activities from Microsoft 365 apps for Windows via “Current Channel” (version 2011+), MacOS via “Current Channel” (version 16.43+), the latest release of iOS/Android apps and Online apps in M365 Activity Explorer in Compliance center. Additional details are available here.
  • Activities from AIP  in Microsoft 365 Activity Explorer and Audit
  • DLP activities for Exchange, SharePoint, OneDrive, Teams and On-premise DLP in Microsoft 365 Activity Explorer

Office native sensitivity labeling events in the unified analytics solution

 

Audit log information includes label activities such as when label is applied, changed, removed and more. This is in addition to the already available logs in Activity Explorer covering Endpoint DLP, service based labeling and retention labeling activities. 

 

Figure 1 – Activity Explorer view of label activity from office native

 

AIP audit events in the unified analytics solution

 

In Public Preview, Microsoft 365 Compliance Center’s enhanced unified labeling and analytics experience now offer support for the most awaited ‘Azure Information Protection (AIP) audit logs’ including exploration of all activities.

 

With this update, events reported by the AIP unified labeling client,  AIP scanner, and  MIP SDK can now be stored in Compliance Center and displayed along with events from Office 365 cloud labeling and DLP activities. See below representation of AIP audit events in M365 Activity explorer, you can use the application column to segment and investigate the data from AIP. 

 

 Figure 2 – Activity Explorer view of application detail from AIP

 

Note: 

 

  1. Support for AIP audit logs in  Compliance Center is a supplemental offering in addition to the existing AIP analytics solution. Storing AIP audit logs in the Log Analytics workspace and exploring them in the AIP Analytics (Preview) screens in the AIP area of the Azure portal continues to be available at this time. Customers should be aware that M365 Audit and Activity explorer will be the solution where all the AIP logs will  eventually reside. While we will currently support AIP Analytics, it is important to note that future investments and developments to support Analytics capabilities will be focused on M365 Audit and Activity explorer.
  2. The Microsoft 365 Activity explorer is a premium service that is typically enabled as part of AIP P2 or via an E5 licenses. At this time and until further notice, as a courtesy to our customers, Microsoft is also making this experience available to existing AIP customers with AIP P1.  You can refer to other permission and licensing details mentioned here for Activity explorer.

Known limitation: We had an issue of multiple "File read" ("Access") logs when a file is opened and saved with the AIP version of client lower than 2.8.85. This issue has been addressed in clients version since then and we recommend customers to upgrade to a version higher than the above so that the client sends only one "File read" ("Access") log when a user opens a labeled/protected document.

 

How to get started 

 

If you have already configured your Log Analytics workspace in the AIP area of the Azure AIP portal, we have already onboarded your tenant and the audit events are now also stored also in the Compliance Center. You can start exploring them from within the Compliance Center experience in M365 Activity explorer. 

If you have not configured your Log Analytics workspace in the Azure portal, and wish to explore  your AIP audit events in the Compliance center, fill in this form and we will onboard your tenant.   

 

DLP rule match events in the unified analytics solution

 

DLP rule matches generated in Exchange, Sharepoint, OneDrive, Teams and On-premise will be available in Activity explorer under an activity called ‘DLP rule matched’.

In addition,  sensitive information type and matched text with the surrounding context (wherever available) will be available in the preview window. This capability provides DLP policy administrators with the ability to quickly assess if a detection is a true positive or not so they can initiate the appropriate remediation actions.

 

 Figure 3 – DLP events available across locations

 

 

Clicking on the Sensitive information type opens up the panel with hit summary and contextual details:

 
 

 

 

 

 

 

 
Additional resources:
 

 

Thank you,

Bhavanesh Rengarajan (Microsoft Information Protection team)

Updated May 11, 2021
Version 3.0
  • Jan ( oechiih ) - Good point. All the data coming into Audit logs in M365 can also be ported into a SIEM using the management API. So I would definitely ask you to check this option out. In the meanwhile, there will be necessary notices in place when we make such a decision to move away from Log analytics workspace - so some planning around the scenario would be good. 

     

    Maxlan71 - Activity explorer also showcases Audit data sets and it doesn't have any other data source. So there is nothing called 'Activity explorer' items to filter in O365 MAPI documentation. For ex: If you want to export 'Label applied' activity, then you should be able to do that using the management API. If you have any specific questions, please directly message me (on yammer) and I can help out. 

     

    ChristopheHumbert - I don't have an exact timeline on the log workspace decommissioning but there will be notice around it as we plan for the work. With that said, this is the direction that we are taking. 

     

    cloud_entropy - Activity explorer is a elastic search capability built on top of the Audit data sets. So we currently showcase last 30 days rolling window. There is no specific need for Retaining Activity explorer data as there is nothing called "activity explorer' data 🙂 

     

    HaroldvandeKamp - Thanks a lot. 

     

    ShadanS - FYI. 

  • Maxlan71's avatar
    Maxlan71
    Brass Contributor

    Great!

     

    But, as we know, currently Activity Explorer cannot export more then 10.000 items and more than 30 days as well (see image below). If we want to export more Activity Explorer items, we have to use the O365 Management API (MAPI).  But, currently in the O365 MAPI documentation, it is not clear which REST API filter I have to use for exporting all Activity Explorer items from audit log blogs and, also, it's not clear the mapping from audit log fields and Activity Explorer fields.

    So, in the future, Will there another way to export better the Activity Explorer items and/or there will a better O365 MAPI audit log documentation to clarify how we can export all activity explorer items via REST API?

     

    Thanks in advance for your help.

  • oechiih's avatar
    oechiih
    Copper Contributor

    Hi Bhavanesh Rengarajan 

     

    Some questions popped up about logging. As I interpret this post all the logs will be "moved" to M365 Audit and Activity Explorer at some point. This is fine for me and my clients. I assume Log Analytics will still be used in the backend. Now we would like to know if we're going to be able to remain in control of the Log Analytics Workspace used for logging. Eventually we want to forward these logs into my client's SIEM which in this case is Splunk. However moving everything into M365 Audit and Activity Explorer and making the "self managed" Log Analytics Workspace obsolete hinders us in doing so.

    What are your plans about this? I assume many larger clients will feel a need to consolidate their logging somehow.

     

    Cheers

    Jan

  • HaroldvandeKamp's avatar
    HaroldvandeKamp
    Bronze Contributor

    Great to see the activity explorer and analytics being added to the Data classification section of the Microsoft 365 Compliance center. This definitely helps to quickly get answers regarding knowing the data, protecting the data, and preventing data loss across the enterprise.

  • cloud_entropy's avatar
    cloud_entropy
    Copper Contributor

    What is the log retention for Activity Explorer? Does it align with the default retention for other O365 audit logs (one year for E5, 90 days for non-E5)?

  • Hello Bhavanesh Rengarajan 

     

    Thanks for this post:

    • Do you have any ETA to share when we will bale to get rid of the Azure Logs Workspaces
    • Do you know if it will be auditable all the activation of AIPSuperUSer and adding/removing user/group for AIPSuperUSer

    Thanks

  • oechiih's avatar
    oechiih
    Copper Contributor

    Thank you Bhavanesh Rengarajan 

    I can't say that I like this development but I can definitely understand it.

    Forgive my ignorance but what do you mean by "the management API"? The Graph API? We'd like to forward the full Logs not just alerts.

     

    Cheers

  • smccnnft's avatar
    smccnnft
    Copper Contributor

    Thanks Bhavanesh Rengarajan, though I have a question: we have an AIP workspace setup yet we cannot see the logs in the Activity Explorer in SCC - is there anything additional (other than the form, licenses, and roles) that must be done to be able to view these logs?

  • Alan_Holm's avatar
    Alan_Holm
    Copper Contributor

    Bhavanesh Rengarajan I just noticed that in our tenant the Activity in the explorer stopped August 19, 2021. Was that only a Preview up to that date?

    Thanks,

    Alan