Forum Discussion

russellworkid's avatar
russellworkid
Copper Contributor
Jul 31, 2024

How to set SensitiveInfoDetectionIsIncluded to true so CloudAppEvents schema returns data

Hello, I have few incidents created for my purview policies and i see the incidents and alerts in Security.microsoft.com  i am running the following simple advance hunting query CloudAppEve...
cyb3rmik3's avatar
cyb3rmik3
Icon for Microsoft rankMicrosoft
Jul 31, 2024

Hi russellworkid,

 

something like the following might help?

 

CloudAppEvents
| where ActivityType == "Securityevent"
| extend SensitiveInfo = tostring(RawEventData.SensitiveInfoDetectionIsIncluded)
| where SensitiveInfo != "false"

 

If I have answered your question, please mark your post as Solved

If you like my response, please consider giving it a like

  • russellworkid's avatar
    russellworkid
    Copper Contributor
    Jul 31, 2024
    Hi @ cyb3rmik3

    I get no results and i expected that result with this query.
    My understanding is that i need to first enable the value to true somewhere and then only this query would work.

    https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#dlp-schema

    Under DLP Schema i see this is a boolean value but i am not sure how i can toggle it to ture.

Resources