This is a step-by-step guided walkthrough of the extended report experience.
Prerequisites
Step-by-step guided walkthrough
In this guide, we will provide high-level steps to get started using the new tooling.
7.1 All the reports have diagrams to measure KPI’s that measure the progress of improvement projects. Sample above is in the grey box, where it is measured based on how much sensitive content is accessed by compromised users or devices. This should be adjusted to be based on what resonates with your key objectives.
7.2 The green boxes used for the KPI measurements come from MaxDataSensitiveRisk, MaxDataDevice, MaxDataUser. You can either add a new value or update the current value.
7.2.1 To update the current value by selecting Transform data.
7.2.2 Select Goals, click on the flywheel for Source.
7.2.3 You can now update the values that are stored in the template. If you want to use a different value, you can click the + sign to add additional columns.
7.2.4 When you have made the modifications click Close & Apply.
7.3 Update the blue box high-level description to match the content or replace it with something automatically generated by Copilot, https://learn.microsoft.com/en-us/power-bi/create-reports/copilot-introduction.
7.4 Based on the organization's requirements filter to only the required Sensitive information types.
7.5 The last part that you may want to update is the incident diagrams. By default, they show the severity and type of attack for incidents linked to access to sensitive data. You may want to map this to incident Tags or other fields based on your requirements.
9.1 To receive the accurate mapping of the labelled content you need to update the MIPLabel table with your label names and GUIDs.
9.1.2 Select Transform data.
9.1.3 Select MIPLabel, click on the flywheel for Source.
9.1.4 Connect to SCC PowerShell (Connect-IPPSsession)
-Run get-label | select immutableid, DisplayName
-Copy the Output
9.1.5 You can now update the values that are stored in the template. This ensures that the name mapping of labels works as expected.
9.1.6 The next step is to update the Access to mission-critical systems from compromised devices. Select the SensitiveSystems query. Then click Advanced Editor
9.1.7 Update the list of URLs that contain a system that has high business impact if an attacker has been accessing it. It is important to only use single quotes. Right now, there is no straightforward way to capture the URLs, so we need to do it manually. Once complete click Done.
9.1.8 When completed, click Close & Apply
10.1 We have one additional tab that does this based on Sensitivity labels. Called Operational Scope Classified Content.
11. The KPI tabs are more condensed and should be customized to fit with the context of the organization and the leaders to which the information is presented. The key thing is to communicate the information in a context that resonates.
11.1 You will want to update the incident view highlighted in red, switch it to something that works with the audience, it may be one of the Tags or other detail. You also want to be very deliberate about which incidents should generate the data to be shown in this dashboard. One way is to use tags, you may elect to only show incidents that are tagged with PossibleBoard as an example. This may enhance the communication between security teams and the board. By bringing awareness to the analysts the importance of their work and direct correlation with organizational leadership.
11.2 In this sample we have Credit Card in Focus and End user Identifiable, you should replace this with regulator names and the associated sensitive information types. Like SEC, FDA, FCC, NTIA, FCA etc. change the name and update the sensitive information filter.
Additional reports that come with this package
We are shipping a few additional reports that can be used to gain further insights. The Project sample provides this view for label usage. You can modify the targets similarly to you did for the board report.
One additional tip for this report is that you can,
While the incident sample will provide views like this. The incident reporting and progress view provides insights into the analyst process. It provides the overall efficiency metrics and measures to gauge the performance. It provides incident operations over time by different criteria, like severity, mean time to triage, mean time to resolve, DLP Policy, and more. You should customize this view to work with your practices.
The Incident view is by default 6 months while the event data is from the past 30 days. To increase the event data beyond 30 days you can use Microsoft Sentinel. If you on the other hand want to reduce the Incident window you can follow these steps.
4. = OData.Feed("https://api.security.microsoft.com/api/incidents?$filter=lastUpdateTime gt " & Date.ToText(Date.AddDays(Date.From(DateTime.LocalNow()),-30), "yyyy-MM-dd") , null, [Implementation="2.0"])
The report also has a per workload detailed view like this sample for Exchange Online. The report contains Exchange, SharePoint, OneDrive for Business, Endpoint, Teams and OCR.
Additional configuration to be made
This is required to capture sensitive information that is transferred in Exchange Online or SharePoint Online. Setup captures all DLP policies that do not have any action or raise any alerts. This is also important for the Copilot for Security functionality to work correctly.
Setup the Power BI online view
Providing an online view of the data has several benefits. You can delegate access to the dashboard without delegating permissions to the underlying data set. You can also create queries that only show information for a specific division or market and only present that information to that specific market. You can set up a scheduled refresh to refresh the data without having to upload it again.
Follow these steps to set up the integration https://learn.microsoft.com/en-us/azure/sentinel/powerbi#create-a-power-bi-online-workspace.
Posts part of this series
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.