cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ingest Office 365 DLP Events into Azure Sentinel
By
Alp Babayigit
Published Nov 25 2019 11:22 AM 24.2K Views
Alp Babayigit
Microsoft
‎Nov 25 2019 11:22 AM

Ingest Office 365 DLP Events into Azure Sentinel

‎Nov 25 2019 11:22 AM

Having different use cases for SIEM is very interesting, and it is incredible to work with customers and partners on them. In one of my engagements, a customer asked about the possibility of ingesting Office 365 DLP into Azure Sentinel.

 

Before I dig into details, lets me explain where one can get Office 365 DLP events apart from Azure Sentinel.

  • In Security and Compliance Center - link
  • Available via PowerShell cmdlets - link
  • Office 365 Activity API schema includes DLP events as well - link

 

This blog post describes a step by step guide on how to ingest Office 365 DLP events into Azure Sentinel, and how to use it.

 

Preparation

The following tasks describe the needed preparation steps:

  1. Create Office 365 DLP rules - link. For my use case, I created a default template rule called "U.S. Finance Data".

clipboard_image_5.png

 

  1. For this blog, I assume that an Azure Sentinel instance is available and is used. If not, use this link to onboard Azure Sentinel first.
  2. One of the advantages of Azure Sentinel is the availability of out of the box Data Connectors for Microsoft services as well as for 3rd Party vendors. Enable two connectors from the Microsoft ecosystem:
    1. Azure Activity Directory to ingest Sign-In and Audit Logs from Azure Active Directory - link
    2. Office 365 to ingest Office 365 events from Exchange Online and SharePoint Online services- link
  3. Make sure that these connectors are healthy and events are ingested, as follow a sample status for the Office 365 data connector.

clipboard_image_6.png

 

Simulation and validation

Ones the DLP policies are configured and assigned to the users, and the required connectors are enabled, the simulation can be started to produce events for later usage.

 

How to search for events

Office 365 DLP has three types of events that are ingested into Log Analytics workspace and are available for search.

  • DlpRuleMatch - This indicates a rule was matched. These events exist in both Exchange and SharePoint Online and OneDrive for Business. For Exchange, it includes false positives and overrides information. For SharePoint Online and OneDrive for Business, false positives and overrides generate separate events.
  • DlpRuleUndo - These only exist in SharePoint Online and OneDrive for Business. They indicate a previously applied policy action has been "undone" – either because of false-positive/override designation by the user or because the document is no longer subject to policy, due to policy change or change in the document content.
  • DlpInfo - These only exist in SharePoint Online and OneDrive for Business and indicate a false positive designation, but no action was "undone."

In my example, I looked for DLP events in SharePoint Online, and the "DLPRuleMatch" type.

clipboard_image_7.png

 

 

Workbook for interactive reports

Azure Sentinel can use the ingested data with out of the box dashboards as well as for customized dashboards. For my purpose, I used the SharePoint & OneDrive dashboard, which is available as part of the Office 365 data connector. For Office 365, Azure Sentinel has two additional dashboards: "Office 365" and "Exchange Online".

 

To view the events, just open the SharePoint and OneDrive workbook and search for DLPRuleMatch events.

 

clipboard_image_8.png

 

Summary

Azure Sentinel is limitless and can cover many use cases, for example, the one shown in this blog post.

6 Comments
Gary Bushey
Bronze Contributor
‎Dec 05 2019 01:10 PM
‎Dec 05 2019 01:10 PM

In the code example where you are searching for "DLPRuleMatch" why do you do use where Operation contains "DLP" before where Operation == "DLPRuleMatch"  ?   Does that make the query faster?

 

 

0 Likes
Like
Azin Wright
Copper Contributor
‎Mar 10 2020 09:57 AM
‎Mar 10 2020 09:57 AM

How would we find the total size of activity logs generated during a specified time for DLP matched events -All? Thanks you!

0 Likes
Like
jvaidya
Copper Contributor
‎May 13 2020 11:53 AM
‎May 13 2020 11:53 AM

@Alp Babayigit 

 

Thanks for the post.

 

I've successfully integrated the Office DLP alerts with Sentinel but unable to make any decision based upon these DLP logs,  e.g.  'DLPRuleMatch' logs hardly shows any information which we can convert into alert, could you please explain how we can draw meaningful conclusion frm these these logs. 

Many thanks in advance,

brunhuber
Copper Contributor
‎Jul 01 2020 08:47 AM
‎Jul 01 2020 08:47 AM

@jvaidya , I have the same issue , I do not see any meaningfull information in these entries. 

Did you made any progress ? 

jvaidya
Copper Contributor
‎Jul 02 2020 12:50 AM
‎Jul 02 2020 12:50 AM

@brunhuber No, unfortunelty made no progress,  I hope Sentinel team  improves the quality of these logs.  

0 Likes
Like
Victorfcorona
Copper Contributor
‎Jun 17 2022 11:50 AM
‎Jun 17 2022 11:50 AM

Is it possible to stop the DLP alerts creating Incident ID's within Sentinel without disconnecting the connectors?

We were keeping DLP alerts strictly at Defender, then with no manual change performed DLP alerts started popping Incidents within our Sentinel and we haven't find a way t make it stop,

 

Does it sound familiar for someone? 

0 Likes
Like
Version history
Last update:
‎Nov 02 2021 05:45 PM
Updated by: