Jul 31 2024 01:58 AM
Hello,
I have few incidents created for my purview policies and i see the incidents and alerts in Security.microsoft.com
i am running the following simple advance hunting query
"RawEventData": {
"@odata.type": "#microsoft.graph.security.dynamicColumnValue",
"CreationTime": "2024-07-22T12:46:33.0000000Z",
"Id": "fff346cc-***",
"IncidentId": "89630849-***",
"ObjectId": "<*.*.PROD.OUTLOOK.COM>",
"Operation": "DlpRuleMatch",
"OrganizationId": "***",
"email address removed for privacy reasons": "#Collection(String)",
"PolicyDetails": [
"{\"PolicyId\":\"2d7eb..\",\"PolicyName\":\"generate email incidents with block.\",\"Rules\":[{\"ActionParameters\":[\"GenerateAlert:true\"],\"Actions\":[\"BlockAccess\",\"GenerateAlert\"],\"ConditionsMatched\":{\"ConditionMatchedInNewScheme\":false,\"OtherConditions\":[{\"Name\":\"From\",\"Value\":\"0f66...\"}]},\"ManagementRuleId\":\"bbe..\",\"RuleId\":\"101e3f12-...\",\"RuleMode\":\"Enable\",\"RuleName\":\"Block emails with keyword\",\"Severity\":\"Medium\"}]}"
],
"email address removed for privacy reasons": "#Int64",
"RecordType": 13,
"SensitiveInfoDetectionIsIncluded": false,
.
.
.
Jul 31 2024 03:49 AM
Hi @russellworkid,
something like the following might help?
CloudAppEvents
| where ActivityType == "Securityevent"
| extend SensitiveInfo = tostring(RawEventData.SensitiveInfoDetectionIsIncluded)
| where SensitiveInfo != "false"
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
Jul 31 2024 04:59 AM