This is a step-by-step guided walkthrough of the extended report experience.

This is a step-by-step guided walkthrough of the extended report experience.

Prerequisites

\n
• License requirements for Microsoft Purview Information Protection depend on the scenarios and features you use. To understand your licensing requirements and options for Microsoft Purview Information Protection, see the Information Protection sections from Microsoft 365 guidance for security & compliance and the related PDF download for feature-level licensing requirements.
\n
• Before you start, all endpoint interaction with Sensitive content is already being included in the audit logging with Endpoint DLP enabled. For Microsoft 365 SharePoint, OneDrive Exchange, Teams you can enable policies that generate events but not incidents for important sensitive information types.
\n
• Install Power BI Desktop to make use of the templates Downloads | Microsoft Power BI
\n

Step-by-step guided walkthrough

In this guide, we will provide high-level steps to get started using the new tooling.

\n
1. Get the latest version of the report that you are interested in from here. In this case we will show the Board report.
\n
2. Open the report if Power BI Desktop is installed it should look like this.
\n

\n
1. You may have to approve the use of ArcGIS Maps if that has not been done before.
\n

\n
1. You must authenticate with https://api.security.microsoft.com, select Organizational account, and sign in. Then click Connect.
\n

\n
1. You will also have to authenticate with httpps://api.security.microsoft.com/api/advancedhunting, select Organizational account, and sign in. Then click Connect.
\n

\n
1. The system will start to collect the information from the built-in queries. Please note that this can take quite some time in larger environments.
\n

\n
1. When the load completes you should see something like this, in the Legal and Compliance tab. The report provides details on all content that is matching, built-in, and custom Sensitivity types, or any that have been touched by any of the compromised User accounts or Devices in the red box. The report needs to be updated.
\n

7.1 All the reports have diagrams to measure KPI’s that measure the progress of improvement projects. Sample above is in the grey box, where it is measured based on how much sensitive content is accessed by compromised users or devices. This should be adjusted to be based on what resonates with your key objectives.

7.2 The green boxes used for the KPI measurements come from MaxDataSensitiveRisk, MaxDataDevice, MaxDataUser. You can either add a new value or update the current value.

7.2.1 To update the current value by selecting Transform data.

7.2.2 Select Goals, click on the flywheel for Source.

7.2.3 You can now update the values that are stored in the template. If you want to use a different value, you can click the + sign to add additional columns.

7.2.4 When you have made the modifications click Close & Apply.

7.3 Update the blue box high-level description to match the content or replace it with something automatically generated by Copilot, https://learn.microsoft.com/en-us/power-bi/create-reports/copilot-introduction.

7.4 Based on the organization's requirements filter to only the required Sensitive information types.

7.5 The last part that you may want to update is the incident diagrams. By default, they show the severity and type of attack for incidents linked to access to sensitive data. You may want to map this to incident Tags or other fields based on your requirements.

\n
1. The Trust & Reputation got a similar build as the Legal and compliance scorecard. Update it based on the requirements for your use case. The initial idea for this report is to show privacy-related data. The impact of having customer data leaking is devastating for the Trust customers have for the organization. Other reputational data points should be added as needed.
\n

\n
1. The Company & Shareholder Value contains some more information. The goal is to customize this to be bound to the organization's secrets. Secret drawings, source code, internal financial results dashboards, supply chains, product development and other sensitive information. You may want to filter down to EDM, Fingerprint type SITs and specific trainable classifiers for this report.
\n

9.1 To receive the accurate mapping of the labelled content you need to update the MIPLabel table with your label names and GUIDs.

9.1.2 Select Transform data.

9.1.3 Select MIPLabel, click on the flywheel for Source.

9.1.4 Connect to SCC PowerShell (Connect-IPPSsession)

-Run get-label | select immutableid, DisplayName

-Copy the Output

 9.1.5 You can now update the values that are stored in the template. This ensures that the name mapping of labels works as expected.

9.1.6 The next step is to update the Access to mission-critical systems from compromised devices. Select the SensitiveSystems query. Then click Advanced Editor

9.1.7 Update the list of URLs that contain a system that has high business impact if an attacker has been accessing it. It is important to only use single quotes. Right now, there is no straightforward way to capture the URLs, so we need to do it manually. Once complete click Done.

9.1.8 When completed, click Close & Apply

\n
1. If the previous steps have been completed the tab for operational scope should be ok. This view provides the organization with information about where Sensitive information is processed. This can help the organization to identify from where the content is being processed by which legal entity and function etc…. Failing this may in fact directly impact if an organization is allowed to operate in a specific market or not. Not knowing this have impact on restructuring the company and other actions to keep the company competitive.
\n

10.1 We have one additional tab that does this based on Sensitivity labels. Called Operational Scope Classified Content.

11. The KPI tabs are more condensed and should be customized to fit with the context of the organization and the leaders to which the information is presented. The key thing is to communicate the information in a context that resonates.

11.1 You will want to update the incident view highlighted in red, switch it to something that works with the audience, it may be one of the Tags or other detail. You also want to be very deliberate about which incidents should generate the data to be shown in this dashboard. One way is to use tags, you may elect to only show incidents that are tagged with PossibleBoard as an example. This may enhance the communication between security teams and the board. By bringing awareness to the analysts the importance of their work and direct correlation with organizational leadership.

11.2 In this sample we have Credit Card in Focus and End user Identifiable, you should replace this with regulator names and the associated sensitive information types. Like SEC, FDA, FCC, NTIA, FCA etc. change the name and update the sensitive information filter.

Additional reports that come with this package

We are shipping a few additional reports that can be used to gain further insights. The Project sample provides this view for label usage. You can modify the targets similarly to you did for the board report.

One additional tip for this report is that you can,

\n
1. Configure the “Maximum value” to be your target value, create the value in the Goals table.
\n
2. Set the “Target value” to the value you had over the past period 275 in the case above.
\n

While the incident sample will provide views like this. The incident reporting and progress view provides insights into the analyst process. It provides the overall efficiency metrics and measures to gauge the performance. It provides incident operations over time by different criteria, like severity, mean time to triage, mean time to resolve, DLP Policy, and more. You should customize this view to work with your practices.

The Incident view is by default 6 months while the event data is from the past 30 days. To increase the event data beyond 30 days you can use Microsoft Sentinel. If you on the other hand want to reduce the Incident window you can follow these steps.

\n
1. Go to transform data
\n
2. Select the Incident table, view settings by default you will see.
\n

\n
1. Update this to 30 days by updating the value to this as an example.
\n

4. = OData.Feed(\"https://api.security.microsoft.com/api/incidents?$filter=lastUpdateTime gt \" & Date.ToText(Date.AddDays(Date.From(DateTime.LocalNow()),-30), \"yyyy-MM-dd\") , null, [Implementation=\"2.0\"])

The report also has a per workload detailed view like this sample for Exchange Online. The report contains Exchange, SharePoint, OneDrive for Business, Endpoint, Teams and OCR.

Additional configuration to be made

This is required to capture sensitive information that is transferred in Exchange Online or SharePoint Online. Setup captures all DLP policies that do not have any action or raise any alerts. This is also important for the Copilot for Security functionality to work correctly.

\n
1. Create a custom policy.
\n

\n
1. Name the policy based on your naming standard and provide a description of the policy.
\n

\n
1. Select the workloads from where you want to capture sensitive data usage. For devices there is no need, devices are capturing all the sensitive data processing by default. 
\n

\n
1. Click next.
\n

\n
1. Click Create rule.
\n

\n
1. Provide a rule name and click Add condition, then click Content Contains
\n

\n
1. Then click Sensitive info types, and select all the relevant Sensitive information types that you would like to capture for both internal and external processing. Note, do focus on the sensitive information types that are key to your operations (max 125 per rule). Then click Add, you can add your own custom SITs or make use of the built in SITs.
\n

\n
1. If you want any other conditions to be true for generating signals like external communications add that condition. Next, ensure that no Action, User notifications, Incident reports or Use email incident reports… are turned on. They should all be turned off.
\n

Setup the Power BI online view

Providing an online view of the data has several benefits. You can delegate access to the dashboard without delegating permissions to the underlying data set. You can also create queries that only show information for a specific division or market and only present that information to that specific market. You can set up a scheduled refresh to refresh the data without having to upload it again.

Follow these steps to set up the integration https://learn.microsoft.com/en-us/azure/sentinel/powerbi#create-a-power-bi-online-workspace.

Posts part of this series

\n
• Cyber Security in a context that allows your organization to achieve more
  https://techcommunity.microsoft.com/t5/security-compliance-and-identity/cyber-security-in-a-context-that-allows-your-organization-to/ba-p/4120041
\n
• Security for Copilot Data Security Analyst plugin https://techcommunity.microsoft.com/t5/security-compliance-and-identity/learn-how-to-customize-and-optimize-copilot-for-security-with/ba-p/4120147 
\n
• Guided walkthrough of the Microsoft Purview extended report experience https://techcommunity.microsoft.com/t5/security-compliance-and-identity/guided-walkthrough-of-the-microsoft-purview-extended-report/ba-p/4121083 
\n

This is a step-by-step guided walkthrough of the extended report experience.

Prerequisites

\n
• License requirements for Microsoft Purview Information Protection depend on the scenarios and features you use. To understand your licensing requirements and options for Microsoft Purview Information Protection, see the Information Protection sections from Microsoft 365 guidance for security & compliance and the related PDF download for feature-level licensing requirements.
\n
• Before you start, all endpoint interaction with Sensitive content is already being included in the audit logging with Endpoint DLP enabled. For Microsoft 365 SharePoint, OneDrive Exchange, Teams you can enable policies that generate events but not incidents for important sensitive information types.
\n
• Install Power BI Desktop to make use of the templates Downloads | Microsoft Power BI
\n

Step-by-step guided walkthrough

In this guide, we will provide high-level steps to get started using the new tooling.

\n
1. Get the latest version of the report that you are interested in from here. In this case we will show the Board report.
\n
2. Open the report if Power BI Desktop is installed it should look like this.
\n

\n
1. You may have to approve the use of ArcGIS Maps if that has not been done before.
\n

\n
1. You must authenticate with https://api.security.microsoft.com, select Organizational account, and sign in. Then click Connect.
\n

\n
1. You will also have to authenticate with httpps://api.security.microsoft.com/api/advancedhunting, select Organizational account, and sign in. Then click Connect.
\n

\n
1. The system will start to collect the information from the built-in queries. Please note that this can take quite some time in larger environments.
\n

\n
1. When the load completes you should see something like this, in the Legal and Compliance tab. The report provides details on all content that is matching, built-in, and custom Sensitivity types, or any that have been touched by any of the compromised User accounts or Devices in the red box. The report needs to be updated.
\n

7.1 All the reports have diagrams to measure KPI’s that measure the progress of improvement projects. Sample above is in the grey box, where it is measured based on how much sensitive content is accessed by compromised users or devices. This should be adjusted to be based on what resonates with your key objectives.

7.2 The green boxes used for the KPI measurements come from MaxDataSensitiveRisk, MaxDataDevice, MaxDataUser. You can either add a new value or update the current value.

7.2.1 To update the current value by selecting Transform data.

7.2.2 Select Goals, click on the flywheel for Source.

7.2.3 You can now update the values that are stored in the template. If you want to use a different value, you can click the + sign to add additional columns.

7.2.4 When you have made the modifications click Close & Apply.

7.3 Update the blue box high-level description to match the content or replace it with something automatically generated by Copilot, https://learn.microsoft.com/en-us/power-bi/create-reports/copilot-introduction.

7.4 Based on the organization's requirements filter to only the required Sensitive information types.

7.5 The last part that you may want to update is the incident diagrams. By default, they show the severity and type of attack for incidents linked to access to sensitive data. You may want to map this to incident Tags or other fields based on your requirements.

\n
1. The Trust & Reputation got a similar build as the Legal and compliance scorecard. Update it based on the requirements for your use case. The initial idea for this report is to show privacy-related data. The impact of having customer data leaking is devastating for the Trust customers have for the organization. Other reputational data points should be added as needed.
\n

\n
1. The Company & Shareholder Value contains some more information. The goal is to customize this to be bound to the organization's secrets. Secret drawings, source code, internal financial results dashboards, supply chains, product development and other sensitive information. You may want to filter down to EDM, Fingerprint type SITs and specific trainable classifiers for this report.
\n

9.1 To receive the accurate mapping of the labelled content you need to update the MIPLabel table with your label names and GUIDs.

9.1.2 Select Transform data.

9.1.3 Select MIPLabel, click on the flywheel for Source.

9.1.4 Connect to SCC PowerShell (Connect-IPPSsession)

-Run get-label | select immutableid, DisplayName

-Copy the Output

 9.1.5 You can now update the values that are stored in the template. This ensures that the name mapping of labels works as expected.

9.1.6 The next step is to update the Access to mission-critical systems from compromised devices. Select the SensitiveSystems query. Then click Advanced Editor

9.1.7 Update the list of URLs that contain a system that has high business impact if an attacker has been accessing it. It is important to only use single quotes. Right now, there is no straightforward way to capture the URLs, so we need to do it manually. Once complete click Done.

9.1.8 When completed, click Close & Apply

\n
1. If the previous steps have been completed the tab for operational scope should be ok. This view provides the organization with information about where Sensitive information is processed. This can help the organization to identify from where the content is being processed by which legal entity and function etc…. Failing this may in fact directly impact if an organization is allowed to operate in a specific market or not. Not knowing this have impact on restructuring the company and other actions to keep the company competitive.
\n

10.1 We have one additional tab that does this based on Sensitivity labels. Called Operational Scope Classified Content.

11. The KPI tabs are more condensed and should be customized to fit with the context of the organization and the leaders to which the information is presented. The key thing is to communicate the information in a context that resonates.

11.1 You will want to update the incident view highlighted in red, switch it to something that works with the audience, it may be one of the Tags or other detail. You also want to be very deliberate about which incidents should generate the data to be shown in this dashboard. One way is to use tags, you may elect to only show incidents that are tagged with PossibleBoard as an example. This may enhance the communication between security teams and the board. By bringing awareness to the analysts the importance of their work and direct correlation with organizational leadership.

11.2 In this sample we have Credit Card in Focus and End user Identifiable, you should replace this with regulator names and the associated sensitive information types. Like SEC, FDA, FCC, NTIA, FCA etc. change the name and update the sensitive information filter.

Additional reports that come with this package

We are shipping a few additional reports that can be used to gain further insights. The Project sample provides this view for label usage. You can modify the targets similarly to you did for the board report.

One additional tip for this report is that you can,

\n
1. Configure the “Maximum value” to be your target value, create the value in the Goals table.
\n
2. Set the “Target value” to the value you had over the past period 275 in the case above.
\n

While the incident sample will provide views like this. The incident reporting and progress view provides insights into the analyst process. It provides the overall efficiency metrics and measures to gauge the performance. It provides incident operations over time by different criteria, like severity, mean time to triage, mean time to resolve, DLP Policy, and more. You should customize this view to work with your practices.

The Incident view is by default 6 months while the event data is from the past 30 days. To increase the event data beyond 30 days you can use Microsoft Sentinel. If you on the other hand want to reduce the Incident window you can follow these steps.

\n
1. Go to transform data
\n
2. Select the Incident table, view settings by default you will see.
\n

\n
1. Update this to 30 days by updating the value to this as an example.
\n

4. = OData.Feed(\"https://api.security.microsoft.com/api/incidents?$filter=lastUpdateTime gt \" & Date.ToText(Date.AddDays(Date.From(DateTime.LocalNow()),-30), \"yyyy-MM-dd\") , null, [Implementation=\"2.0\"])

The report also has a per workload detailed view like this sample for Exchange Online. The report contains Exchange, SharePoint, OneDrive for Business, Endpoint, Teams and OCR.

Additional configuration to be made

This is required to capture sensitive information that is transferred in Exchange Online or SharePoint Online. Setup captures all DLP policies that do not have any action or raise any alerts. This is also important for the Copilot for Security functionality to work correctly.

\n
1. Create a custom policy.
\n

\n
1. Name the policy based on your naming standard and provide a description of the policy.
\n

\n
1. Select the workloads from where you want to capture sensitive data usage. For devices there is no need, devices are capturing all the sensitive data processing by default. 
\n

\n
1. Click next.
\n

\n
1. Click Create rule.
\n

\n
1. Provide a rule name and click Add condition, then click Content Contains
\n

\n
1. Then click Sensitive info types, and select all the relevant Sensitive information types that you would like to capture for both internal and external processing. Note, do focus on the sensitive information types that are key to your operations (max 125 per rule). Then click Add, you can add your own custom SITs or make use of the built in SITs.
\n

\n
1. If you want any other conditions to be true for generating signals like external communications add that condition. Next, ensure that no Action, User notifications, Incident reports or Use email incident reports… are turned on. They should all be turned off.
\n

Setup the Power BI online view

Providing an online view of the data has several benefits. You can delegate access to the dashboard without delegating permissions to the underlying data set. You can also create queries that only show information for a specific division or market and only present that information to that specific market. You can set up a scheduled refresh to refresh the data without having to upload it again.

Follow these steps to set up the integration https://learn.microsoft.com/en-us/azure/sentinel/powerbi#create-a-power-bi-online-workspace.

Posts part of this series

\n
• Cyber Security in a context that allows your organization to achieve more
  https://techcommunity.microsoft.com/t5/security-compliance-and-identity/cyber-security-in-a-context-that-allows-your-organization-to/ba-p/4120041
\n
• Security for Copilot Data Security Analyst plugin https://techcommunity.microsoft.com/t5/security-compliance-and-identity/learn-how-to-customize-and-optimize-copilot-for-security-with/ba-p/4120147 
\n
• Guided walkthrough of the Microsoft Purview extended report experience https://techcommunity.microsoft.com/t5/security-compliance-and-identity/guided-walkthrough-of-the-microsoft-purview-extended-report/ba-p/4121083 
\n

This is a step-by-step guided walkthrough of the extended report experience.

Jon_Nordstromwhat permissions are needed for this to work? we are getting DataSource.Error: Web.Contents failed to get contents from 'https://api.security.microsoft.com/api/advancedhunting for the DLP alerts query

Hi Dean, the user who initially sets this up need to have access to advanced hunting Manage access to Microsoft Defender XDR with Microsoft Entra global roles - Microsoft Defender XDR | Microsoft Learn. Once published you then delegate permissions to the web based dashboard in PBI.

Jon_Nordstromthanks, i can run advanced hunting queries in the portal but the power bi query is failing, do you have any trouble shooting tips?

The experience you have for DLP alert reporting in the PBI template is centered around DLP incidents. You can filter and customize it based on your needs. The calls are using the Incident API and not the AH API. You may join it with additional details from the alerts hunting table as needed. That is what you see in the sample workbook, DLP incidents per Workload.

We are in need of a similar reporting as we are migrating to Defender to manage our DLP Incidents and Alerts. Essentially, we are looking for some kind of reporting in relation DLP Incidents, how many Incidents/ALerts our team was able to handle and resolved in a given time period, total alerts received, how many of the alerts are classified as FP or TP. Is this something we can do too as well using Advance Hunting and publish via PowerBI? If yes, is there guide we can refer to?

Content explorer requires a PS script to execute to get the data. To keep this clean we use the Advanced Hunting tables. Interested parties should make a feature request for a table that holds the information from Content Explorer. It is indeed good detail for data governance and appropriate posture management.

Jon_Nordstrom Thank you for these blogs. They are very much needed.

Question: Do we have the ability to pull Content Explorer info too ?