Not seeing all activity

%3CLINGO-SUB%20id%3D%22lingo-sub-1157485%22%20slang%3D%22en-US%22%3ENot%20seeing%20all%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1157485%22%20slang%3D%22en-US%22%3E%3CP%3EWhile%20doing%20some%20reading%20I%20came%20across%20the%20below%20article%20about%20viewing%20label%20activity%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fdata-classification-activity-explorer%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fdata-classification-activity-explorer%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20article%20says%20you%20can%20see%20a%20number%20of%20activities%20listed%20as%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EFile%20created%3C%2FLI%3E%3CLI%3EFile%20modified%3C%2FLI%3E%3CLI%3EFile%20renamed%3C%2FLI%3E%3CLI%3EFile%20copied%20to%20cloud%3C%2FLI%3E%3CLI%3EFile%20accessed%20by%20unallowed%20app%3C%2FLI%3E%3CLI%3EFile%20printed%3C%2FLI%3E%3CLI%3EFile%20copied%20to%20removable%20media%3C%2FLI%3E%3CLI%3EFile%20copied%20to%20network%20share%3C%2FLI%3E%3CLI%3EFile%20read%3C%2FLI%3E%3CLI%3Efile%20copied%20to%20clipboard%3C%2FLI%3E%3CLI%3ELabel%20applied%3C%2FLI%3E%3CLI%3ELabel%20changed%20(upgraded%2C%20downgraded%2C%20or%20removed)%3C%2FLI%3E%3C%2FUL%3E%3CP%3EMy%20problem%20is%20when%20I%20go%20to%20the%20Label%20activity%20explorer%20I%20only%20have%20two%20options%20(Label%20Activities%20and%20Label%20changes).%26nbsp%3B%20I%20don't%20see%20all%20the%20other%20useful%20activities%20such%20%22%3CSPAN%3EFile%20copied%20to%20removable%20media%22.%26nbsp%3B%20I%20have%20the%20necessary%20license%2C%26nbsp%3B%3CSPAN%3EOffice%20365%20(E5)%2C%20applied%20to%20the%20accounts.%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20face%3D%22inherit%22%3EI've%20done%20testing%20by%20copying%20a%20labeled%20file%20to%20a%20USB%20and%20get%20no%20activity.%26nbsp%3B%20I%20think%20I%20have%20all%20the%20right%20%3C%2FFONT%3Epermissions%3CFONT%20face%3D%22inherit%22%3E%26nbsp%3Bbut%20maybe%20there%20is%20a%20role%20or%20permission%20within%20the%20Security%20and%20Compliance%20portal%20I%20need%3F%3C%2FFONT%3E%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSPAN%3ECan%20anyone%20help%20shed%20some%20light%20on%20this%3F%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1157485%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EInformation%20Protection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ERights%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1396442%22%20slang%3D%22en-US%22%3ERe%3A%20Not%20seeing%20all%20activity%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1396442%22%20slang%3D%22en-US%22%3EYes%2C%20in%20short%2C%20you%20need%20Microsoft%20Defender%20ATP%20if%20you%20want%20to%20have%20visibility%20in%20the%20logs%20for%20events%20such%20as%20copying%20files%20to%20USB%20and%20many%20of%20the%20other%20items%20above.%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-information-protection%2Fdiscover-and-protect-sensitive-data-through-azure-information%2Fba-p%2F297292%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-information-protection%2Fdiscover-and-protect-sensitive-data-through-azure-information%2Fba-p%2F297292%3C%2FA%3E%3C%2FLINGO-BODY%3E
Contributor

While doing some reading I came across the below article about viewing label activity

https://docs.microsoft.com/en-us/microsoft-365/compliance/data-classification-activity-explorer

 

The article says you can see a number of activities listed as:

 

  • File created
  • File modified
  • File renamed
  • File copied to cloud
  • File accessed by unallowed app
  • File printed
  • File copied to removable media
  • File copied to network share
  • File read
  • file copied to clipboard
  • Label applied
  • Label changed (upgraded, downgraded, or removed)

My problem is when I go to the Label activity explorer I only have two options (Label Activities and Label changes).  I don't see all the other useful activities such "File copied to removable media".  I have the necessary license, Office 365 (E5), applied to the accounts. 

 

I've done testing by copying a labeled file to a USB and get no activity.  I think I have all the right permissions but maybe there is a role or permission within the Security and Compliance portal I need?  

 

Can anyone help shed some light on this?

 

 

1 Reply
Yes, in short, you need Microsoft Defender ATP if you want to have visibility in the logs for events such as copying files to USB and many of the other items above. https://techcommunity.microsoft.com/t5/azure-information-protection/discover-and-protect-sensitive-d...