AIP Scanner Status report

%3CLINGO-SUB%20id%3D%22lingo-sub-1340747%22%20slang%3D%22en-US%22%3EAIP%20Scanner%20Status%20report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1340747%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20looking%20to%20create%20some%20kind%20of%20report%20for%20the%20AIP%20scanner%20as%20its%20scanning%20share%20directories.%20It%20would%20be%20nice%20to%20know%20when%20it%20starts%20to%20scan%20a%20directory%20and%20when%20it%20the%20scanner%20has%20completed%20the%20directory.%20It%20would%20be%20nice%20to%20have%20it%20include%20all%20the%20directories%20and%20then%20give%20the%20status%20if%20it%20has%20completed%20scanning.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20this%20possible%20with%20AIP%20and%20log%20analytics%3F%20I%20have%20been%20looking%20into%20this%20and%20haven't%20made%20it%20too%20far.%20Any%20help%20would%20be%20greatly%20appreciated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1340747%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1341187%22%20slang%3D%22en-US%22%3ERe%3A%20AIP%20Scanner%20Status%20report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1341187%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F608134%22%20target%3D%22_blank%22%3E%40Metzinger35%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20think%20(and%20I%20have%20very%20little%20AIP%20test%20data)%20that%20you%20get%20one%20row%20in%20the%20logs%20per%20activity%20(or%20activity_s)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3EInformationProtectionLogs_CL%0A%7C%20where%20Activity_s%20%3D%3D%20%22Discover%22%0A%7C%20project%20TimeGenerated%20%2C%20%5B'File%20Name'%5D%3DObjectId_s%20%2C%20DeviceId_s%20%2C%20DeviceRisk_s%20%2C%20Activity_s%20%2C%20UserId_s%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Freports-aip%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Finformation-protection%2Freports-aip%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUnless%20the%20Activity%20column%20changes%20i.e%20newlabel%20removelabel%20etc...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hello,

 

I'm looking to create some kind of report for the AIP scanner as its scanning share directories. It would be nice to know when it starts to scan a directory and when it the scanner has completed the directory. It would be nice to have it include all the directories and then give the status if it has completed scanning.

 

Is this possible with AIP and log analytics? I have been looking into this and haven't made it too far. Any help would be greatly appreciated.

1 Reply
Highlighted

@Metzinger35 

 

I think (and I have very little AIP test data) that you get one row in the logs per activity (or activity_s)

 

InformationProtectionLogs_CL
| where Activity_s == "Discover"
| project TimeGenerated , ['File Name']=ObjectId_s , DeviceId_s , DeviceRisk_s , Activity_s , UserId_s 

 

https://docs.microsoft.com/en-us/azure/information-protection/reports-aip

 

Unless the Activity column changes i.e newlabel removelabel etc...