We are commonly receiving requests such as, how do I visualize MIP label usage? How can I use MIP label changes to trigger alerts? How do I get more detail on the sensitive information being processed at my endpoints? Is this data type being processed outside (or inside) of this geographical boundary?
We are pleased to share a new insightful way of pivoting risky behavior with organizational and geographical context. Meaning that you can start building risk profiles for your organization that can be used for both alerting and to be graphically presented as part of risk assessments of sensitive information use. You understand your organizations habits best, please treat this as a sample and expand based on your requirements.
The information is based on the new connector for CloudAppEvents for Sentinel, that ingests Microsoft Defender for Cloud Apps data. MIP label operations, processing of sensitive content on endpoints, dlp events, sharing events, file access events are all part of this event stream. Be aware that this will ingest a lot of events into Sentinel.
Let's take a sneak peak at a few of the things that the sample provides.
This is a view of Label operations and changes to labels, as well as some organizational context to how the labels are being used within the departments. There are several other views of label usage, the idea is that this serves as a starting point that you customize based on your needs.