Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Admin guide to auditing and reporting for the AIP Unified Labeling client
Published Sep 01 2022 09:00 AM 9,561 Views
Microsoft

Auditing and reporting play important roles in the security and compliance strategy for many organizations. With the continued expansion of the technology landscape that has an ever-increasing number of systems, endpoints, operations, and regulations, it becomes even more important to have a comprehensive logging and reporting solution in place.

 

For customers of the Azure Information Protection (AIP) Unified Labeling client, the experience is fully integrated with the auditing solution from Microsoft Purview. Audit events generated from the unified labeling client are included within the Office 365 activity log and the Microsoft 365 unified audit log for your organization. These events can be exported to a reporting solution or SIEM. Additionally, the information in the Microsoft 365 unified audit logs is available in the Activity explorer, showing reports with up to 30 days of data.

 

In this blog post, we address:

  1. The various AIP events in the Office 365 activity log
  2. The labeling events in the unified audit log, and how to work with the Activity explorer to get a granular view of AIP events in the unified audit log
  3. How to continuously export data from the unified audit log to Azure Log Analytics
  4. How to set up a customizable dashboard to make sense of the AIP events, built as a workbook on top of Azure Log Analytics

Customers transitioning from the AIP Analytics solution [which will be fully retired by September 30, 2022] to Microsoft Purview will find this blog post helpful.

 

1. Audit events from the AIP Unified Labeling client

The AIP Unified Labeling client includes the Add-in for Office, the Scanner, the Viewer for Windows, the client PowerShell, and the Classify-and-Protect shell extension for Windows. All these components generate audit events that show up in the Office 365 activity logs and can be queried using the Office 365 Management Activity API.

 

The five events (also called “AuditLogRecordType”) specific to AIP listed below, and more details about each can be found within the API reference.

 

Value

Member name

Description

93

AipDiscover

Azure Information Protection (AIP) scanner events.

94

AipSensitivityLabelAction

AIP sensitivity label events.

95

AipProtectionAction

AIP protection events.

96

AipFileDeleted

AIP file deletion events.

97

AipHeartBeat

AIP heartbeat events.

 

The raw events are useful during a deep investigation but are too complex for an administrator trying to explore AIP activity or search for specific events; the unified audit log and the Activity explorer are better suited for this purpose. The AIP Unified Labeling client activities in the Office 365 activity log are parsed and standardized into the unified audit log. The AipSensitivityLabelAction in the Office 365 activity log is further split and mapped to standardized labeling events in the unified audit log and Activity explorer:

  • Sensitivity label applied
  • Sensitivity label changed
  • Sensitivity label removed
  • Sensitivity label file read

This standardization also provides consistency to queries and reporting as your organization makes the transition from the AIP Add-in to Office built-in labels.

 

2. View, query and detect audit events in Activity explorer

yangchen_0-1661544832158.png

 

The Activity explorer in the compliance portal provides a graphical interface to view events in the unified audit log. As the administrator of your tenant, you can use the Activity explorer queries to determine whether the policies and controls implemented in your organization are effective. The Activity explorer allows you to detect actions being taken for up to 30 days and clearly see when and how sensitive data is being handled within your organization.

 

There are more than 30 filters in the Activity explorer to help refine the data you see. To see AIP-specific activity, set the following filters:

  • Activity type:
    • Label applied
    • Label changed
    • Label removed
    • Label file read
  • Application:
    • Microsoft Azure Information Protection Word Add-In
    • Microsoft Azure Information Protection Excel Add-in
    • Microsoft Azure Information Protection PowerPoint Add-In
    • Microsoft Azure Information Protection Outlook Add-in

You might not see all the options in the filter, or you might see more; the filter values depend on what activities are captured for your tenant. For more information about the Activity explorer, read the get started guide.

 

3. Continuously export data from the unified audit log to Azure Log Analytics

The Activity explorer provides an out-of-the-box solution within the Microsoft Purview portal to help customers understand the sensitivity of their data estate. However, customers looking for more query flexibility, longer retention, and the ability to create custom dashboards will need to export the data out of Microsoft Purview. The recommended storage solution is Azure Log Analytics.

 

Azure Log Analytics is an interactive workspace that enables ingestion and storage of massive amounts of data, indexes the data, and allows complex querying through an interface or API using the Kusto Query Language.

 

The Microsoft Purview Information Protection connector was introduced into Sentinel on January 9, 2023. The Microsoft Purview Information Protection connector streams data to a log analytics table (MicrosoftPurviewInformationProtection) and contains events related to Azure Information Protection. These events are similar to what used to show up within the Azure Information Protection log analytics table (InformationProtectionLogs_CL) and can be stored in the same log analytics workspace. The Microsoft Purview Information Protection connector must be enabled within Microsoft Sentinel to see events populate in log analytics going forward. Guidance on how to adjust transition queries to the new connector within log analytics can be found here: Migrate analytics from Azure Information Protection to Microsoft Purview Information Protection. 

 

NOTE 1: Rights Management Service (RMS) events that were previously available in AIP Analytics will not be accessible from the unified audit log. These events will be added back later and enriched with more relevant information to make these events complete and useful. 

 

4. Set up a customizable dashboard with a workbook in Azure Log Analytics

yangchen_1-1680728303166.png

 

Once the data is available within Azure Log Analytics, you can create your own custom dashboard using Azure workbooks. Use the template and guide we have provided on GitHub as a start point; the template provides the same charts and datapoints that are in the AIP Analytics experience. 

 

You’re all set! Explore the tools and the out-of-the-box solutions and give us your feedback.

 

NOTE 2: The workbook queries can be edited and additional queries can be added to meet the needs of the organization. Sample PowerShell queries are shared on Github to help your organization get started.

Microsoft Purview Information Protection connector is the only supported pathway to continuously export audit data into Azure Log Analytics.

 

References:

Additional resources

 

 

 

 

 

 

 

 

 

3 Comments
Co-Authors
Version history
Last update:
‎Jan 25 2024 12:02 PM
Updated by: