Forum Discussion
Solved
AIP Log Analytics
Hi, I'm trying to create a query for Azure Information Protection that will generate a report for the number of classification labels applied during the day that includes the application name and...
Thanks for all the help, that works. I even added time generated column combining all labels that was classified during specific days.
InformationProtectionLogs_CL | where Activity_s == "NewLabel" or Activity_s == "UpgradeLabel" or Activity_s == "RemoveLabel" or Activity_s == "DowngradeLabel" | where ApplicationName_s == "AIP scanner" or ApplicationName_s == "Excel" or ApplicationName_s == "Microsoft Cloud App Security" or ApplicationName_s == "Outlook" or ApplicationName_s == "PowerPoint" or ApplicationName_s == "Word" | where LabelName_s in ("Highly Confidential QA","Confidential QA","Internal QA","Public QA") | project Label_Name = columnifexists("LabelName_s",""), Application_Name = columnifexists("ApplicationName_s",""), Activity = columnifexists("Activity_s", "NewLabel"), format_datetime(TimeGenerated, 'MM-dd-yyyy') | summarize Count = toint(count(Label_Name)) by Label_Name, Application_Name, Activity, TimeGeneratedResults:
Label_Name Application_Name Activity TimeGenerated Count Highly Confidential QA Microsoft Cloud App Security NewLabel 3/23/2020 2 Highly Confidential QA Outlook NewLabel 3/23/2020 1
needs some more work, but is this right?
InformationProtectionLogs_CL
//| where Activity_s == "NewLabel"
//| where ApplicationName_s == "Word" or ApplicationName_s == "Outlook"
| where LabelName_s in ("Highly Confidential QA","Confidential QA","Internal QA" ,"Public QA","Confidential \\ All Employees") // I added the last one for my data to get a match
| project Label_Name = columnifexists("LabelName_s",""), Application_Name = columnifexists("ApplicationName_s",""), Label_Type = columnifexists("Activity_s", "NewLabel"), ApplicationName_s
| summarize Amount = count(Label_Type) by ["Classification Label"] = Label_Name, Label_Type, ["Application Type"] = ApplicationName_s
| sort by Amount desc
result:
| Classification Label | Label_Type | Application Type | Amount |
|---|---|---|---|
| Confidential \ All Employees | NewLabel | Microsoft Cloud App Security | 2 |
Thanks for all the help, that works. I even added time generated column combining all labels that was classified during specific days.
InformationProtectionLogs_CL | where Activity_s == "NewLabel" or Activity_s == "UpgradeLabel" or Activity_s == "RemoveLabel" or Activity_s == "DowngradeLabel" | where ApplicationName_s == "AIP scanner" or ApplicationName_s == "Excel" or ApplicationName_s == "Microsoft Cloud App Security" or ApplicationName_s == "Outlook" or ApplicationName_s == "PowerPoint" or ApplicationName_s == "Word" | where LabelName_s in ("Highly Confidential QA","Confidential QA","Internal QA","Public QA") | project Label_Name = columnifexists("LabelName_s",""), Application_Name = columnifexists("ApplicationName_s",""), Activity = columnifexists("Activity_s", "NewLabel"), format_datetime(TimeGenerated, 'MM-dd-yyyy') | summarize Count = toint(count(Label_Name)) by Label_Name, Application_Name, Activity, TimeGeneratedResults:
Label_Name Application_Name Activity TimeGenerated Count Highly Confidential QA Microsoft Cloud App Security NewLabel 3/23/2020 2 Highly Confidential QA Outlook NewLabel 3/23/2020 1