How to set SensitiveInfoDetectionIsIncluded to true so CloudAppEvents schema returns data

Copper Contributor

Hello,

I have few incidents created for my purview policies and i see the incidents and alerts in Security.microsoft.com 
i am running the following simple advance hunting query

CloudAppEvents
| where ActivityType == 'Securityevent'
 
In the result i see 
"SensitiveInfoDetectionIsIncluded": false, under RawEventData

I understand that as long as this is false, i cannot see the forensic data (violating data) for the incident.
 
How can i set this value to true, so that i can get the forensic data. 
 
My goal is to use graph api with advance hunting to retrieve this data so that i can load it into my application (End user remediation) as a case and educate the users about the violation.

 

            "RawEventData": {
                "@odata.type": "#microsoft.graph.security.dynamicColumnValue",
                "CreationTime": "2024-07-22T12:46:33.0000000Z",
                "Id": "fff346cc-***",
                "IncidentId": "89630849-***",
                "ObjectId": "<*.*.PROD.OUTLOOK.COM>",
                "Operation": "DlpRuleMatch",
                "OrganizationId": "***",
                "email address removed for privacy reasons": "#Collection(String)",
                "PolicyDetails": [
                    "{\"PolicyId\":\"2d7eb..\",\"PolicyName\":\"generate email incidents with block.\",\"Rules\":[{\"ActionParameters\":[\"GenerateAlert:true\"],\"Actions\":[\"BlockAccess\",\"GenerateAlert\"],\"ConditionsMatched\":{\"ConditionMatchedInNewScheme\":false,\"OtherConditions\":[{\"Name\":\"From\",\"Value\":\"0f66...\"}]},\"ManagementRuleId\":\"bbe..\",\"RuleId\":\"101e3f12-...\",\"RuleMode\":\"Enable\",\"RuleName\":\"Block emails with keyword\",\"Severity\":\"Medium\"}]}"
                ],
                "email address removed for privacy reasons": "#Int64",
                "RecordType": 13,
                "SensitiveInfoDetectionIsIncluded": false,
.
.
.





 

2 Replies

Hi @russellworkid,

 

something like the following might help?

 

CloudAppEvents
| where ActivityType == "Securityevent"
| extend SensitiveInfo = tostring(RawEventData.SensitiveInfoDetectionIsIncluded)
| where SensitiveInfo != "false"

 

If I have answered your question, please mark your post as Solved

If you like my response, please consider giving it a like

Hi @ cyb3rmik3

I get no results and i expected that result with this query.
My understanding is that i need to first enable the value to true somewhere and then only this query would work.

https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-ap...

Under DLP Schema i see this is a boolean value but i am not sure how i can toggle it to ture.