In the previous part of this blog series- Microsoft 365 Compliance audit log activities via O365 Management API - Part 1, we discussed the importance of auditing and reporting for an organization's security and compliance posture. We also discussed Microsoft auditing solutions, auditing architecture (and its components), as well as Microsoft Information Protection audit log schema
Let’s try to go over some of the audit log schema parameters for email and file events to make it clearer. Please note that the below is a cut-down list of the schema as most of the schema parameters are self-explanatory. For a full and updated list of DLP log schema, please visit Microsoft official documentation here, however, we will highlight a few schema parameters that we believe are important to explain what they mean and how can we use them. Below is an example of a DLP audit log:
{"CreationTime": "2021-11-02T21:52:10", "Id": "1c446afc-5996-4236-845c-c6d28557bd78", "Operation": "DlpRuleMatch","OrganizationId": "123456-8385-8539b47e6810", "RecordType": 13, "UserKey": "1153801120595078600","UserType": 4, "Version": 1, "Workload": "Exchange", "ObjectId": "\u003cBL0PR01MB52980905BA71DB19C194A324BA8B9@prod.exchangelabs.com", "UserId": "user.one@nodomain.xyz","IncidentId": "3d3db700-9bea-643b-3000-08d99e4c1d8b", "PolicyDetails": [{"PolicyId": "fad884cb-d5a5-4ad2-9dab-24283e4bb6cc","PolicyName": "Email X-Header Tagging","Rules": [{"Actions": ["ExSetHeader","ExModifySubject"], "ConditionsMatched": {"ConditionMatchedInNewScheme": true, "OtherConditions": [{"Name": "SensitivityLabels", "Value": "OFFICIAL"} ,"ManagementRuleId": "edb9343d-fabe-47b4-a725-18f0cb031b54", "RuleId": "ad484e0b-752f-4787-befd-bd14db5598d4","RuleMode": "Enable","RuleName": "Stamp the X-Header and Append the Subject [SEC=OFFICIAL]", "Severity": "Medium"}], "SensitiveInfoDetectionIsIncluded": true, "ExchangeMetaData": {"BCC": [], "CC": [], "FileSize": 18823, "From": "user.one@nodomain.xyz", "MessageID": "\u003cBL0PR01MB52980905BA71DB19C194A324BA8B9@prod.exchangelabs.com", "RecipientCount": 1, "Sent": "2021-11-02T21:52:09","Subject": "RE: Test new - 3rd Nov - 03 [SEC=OFFICIAL]", "To": ["admin@nodomain.xyz"],"UniqueID": "32e0decc-4e67-4259-ef4b-08d99e4b052f"}} |
Schema parameter |
Description |
Potential Values |
Notes |
DLP-Specific Base Schema |
|||
RecordType |
The operation type indicated by the record |
|
For a complete updated list and full description of the Log RecordType, please refer to this article. Here we are only listing the relevant DLP Record types. |
Operation |
The operation type for the audit log (Referenced here as discussed above) |
|
|
IncidentId |
The DLP incident unique ID |
|
|
DLP-Specific Extended Schema |
|||
PolicyId |
The GUID of the DLP policy for this event |
|
|
PolicyName |
The friendly name of the DLP policy for this event |
|
|
RuleId |
The GUID of the DLP rule for this event. |
|
|
RuleName |
The friendly name of the DLP rule for this event |
|
|
Actions |
A list of actions taken because of a DLP RuleMatch event. |
Examples only:
|
The DLP policy actions depend on many variables, such as, workload in scope (EXO, SPO, etc.) and conditions selected. Here we listed a few DLP policy action examples for the purpose of the article. |
Severity |
The severity of the rule match. |
|
|
DLP-Specific Extended SENSITIVE Schema (the SensitiveInformationDetections section of the log) |
|||
DetectedValues |
An array of sensitive information that was detected. |
|
|
ResultsTruncated |
Indicates if the logs were truncated due to large number of results. |
|
|
DLP-Specific Extended SENSITIVE Schema (the ExceptionInfo section of the log) |
|||
Reason |
For a DLPRuleUndo event, which indicates why the rule no longer applies. |
|
|
Justification |
If the user chose to override policy, any user-specified justification is captured here. |
|
|
Rules |
A collection of GUIDs for each rule that was designated as a false positive or override, or for which an action was undone. |
|
|
So before knowing how to retrieve MIP and DLP logs via Office 365 Management API queries, we need to know first, where to look for them.
Below is a summary of each of the Office 365 Management API content blobs and what operations they contain. Please use this as a reference whenever you are performing a log search for a specific activity event for MIP and/or DLP.
Content Blob |
Operation |
Notes |
Audit.AzureActiveDirectory |
|
Very useful in general for any investigation or reporting purposes. |
Audit.Exchange |
|
|
Audit.SharePoint |
|
|
Audit.General |
|
|
DLP.All |
|
DLP events may include sensitive data (if configured) |
In this section, we will go over the configuration details in depth to prepare the environment before performing any API queries. As well as the "Compliance API" script that we have created to help querying and exporting the Microsoft 365 audit log activities via Office 365 management API.
In order to be able to query the Office 365 Management API endpoints, you will need to configure your application with the right permissions. For a step-by-step guide, please visit the Microsoft official documentation here for more details.
We have created a sample Office Management API script that enables administrators to access their tenant management API service (given all the prerequisites steps above have been completed). The script uses a few variables that you will need to update to be able to use it in your tenant (explained below). Also, the script mainly uses the “Get” function to export the log activities to a bunch of JSON files from the main 5 content blobs that we need. Now, let’s go through the script.
Invoke-WebRequest -Method GET -Headers $OfficeToken -Uri "$BaseURI/content?contentType=$Subscription&startTime=$Date022T00:00&endTime=$Date022T23:59&PublisherIdentifier=$TenantGUID" ErrorAction Stop
The script defined variables are depicted below, you will need to update the following:
•$AppClientID = " The Azure AD registered application ID "
•$ClientSecretValue = " The application secret Value"
•$TenantGUID = " Tenant ID – you can get it from Azure AD portal"
•$tenantdomain = " Tenantname.onmicrosoft.com"
•$OutputPath = "Logs folder path – i.e., C:\APILogs"
•$APIResource = Endpoint URI ($Enterprise, $GCC, $GCCH, $DOD)
So now we have the MIP/DLP logs exported via the Office 365 management API to JSON files, what can we do with them?. We can use those JSON files in various ways, such as:
Here we will show you an example on how to use PowerBI Desktop tool to create MIP/DLP audit report. We have selected to create a report for DLP policy incidents in the last 24 hours within our tenant
MIP & Compliance One Stop Shop Resource Page: https://aka.ms/mipc/OSS
Read all the latest MIP updates and blogs at: https://aka.ms/MIPblog
Join MIP & Compliance preview programs at: https://aka.ms/MIPC/Previews
Thank you.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.