J
Jon Nordström
This is a step-by-step guided walkthrough of the Microsoft Purview extended report experience and how it can empower your organization to understand the cyber security risks in a context that allows them to achieve more. By focusing on the information and organizational context to reflect the real impact/value of investments and incidents in cyber.
Prerequisites
Overview and vision
The vision with this package is that it will allow for faster and more integrated communication between leaders and the cyber operations teams in a context that allows for effective collaboration. The structure can help present the positive result of attacks prevented by measuring distance to corporate secrets. It can also help you provide a view of the impact of an incident by listing the sensitive systems and content the attackers have accessed.
Based on the information you may also identify patterns where you need to improve your security posture based on sensitive content and systems. This makes improvement projects more connected to company value. Cybersecurity is fast pacing so being able to understand the future is just as important as current state. With this data available you should be able to input details about future threats and project their impact. As part of this we are also creating Security Copilot skills to help identify future risks.
Step-by-step guided walkthrough
Principles for the dashboards
When opening the Power BI view whether it is from a web-based version or from Power BI desktop you will find unique users and unique devices. These are user accounts and devices that have had at least one security incident flagged in Microsoft Defender Portal and have accessed sensitive information. Organizations may select to filter these based on incident flags, the type of incident etc. how to achieve this is outlined in the implementation guide.
Let us have a look at the base elements in the CISO, CCO view.
The core rule for what is shown is that sensitive content has been touched by a compromised system or account. A compromised system or account that has not accessed any sensitive content will not be shown. The only exception is the Operational scope pages more detail later.
Board level sample data.
The first version has four risk dimensions,
The KPI diagram should be updated to a target that makes sense to the core security projects run by the organization.
With Security Copilot you can get this type of detail as well. It will help you with the contextual detail. Here is one example of a custom sensitive information type. The sub bullets are departments.
There is also a view included for the use of Sensitivity labels.
Let’s use this sample where we pair the usage with Copilot for Security. Let us say that one of the object names is listall.json. And I want to get all the information surrounding that file.
Or you may have an e-mail subject that you are concerned about.
The information shared is to provide you with an idea of how to get started. Consider adding actual monetized impact on events across the system. Both those that were avoided and those that had a negative impact.
Improvement Project reporting
For data-driven feedback on the impact of improvement projects, we have a few sample dashboards to get you started. They are there to allow you to see the art of the possible. The rich data that is available from the system will in many cases allow you to build your own data-driven dashboards to show progress. The samples that are available is Document KPI, Oversharing SharePoint, Email KPI, Content upload, Operational Scope, and Operational scope classified content.
Below is a sample dashboard that displays the number of protected versus unprotected document operations across the organization. E.g. which ones are sensitivity labeled and which ones are not. Follow the technical guidance for setting this up properly.
This example provides an overview of the suppliers being used to access sensitive content. This is based on the processes, you may select to do something similar based on the IP tags and ranges and access to sensitive content and systems.
This example contains details about how credential data is being processed across the organization. To capture the All Credential Types you need to enable a policy for all workloads including endpoint.
Incident reporting and progress
The incident reporting and progress view provides insights into the analyst process. It provides the overall efficiency metrics and measures to gauge the performance. It provides incident operations over time by different criteria, like severity, mean time to triage, mean time to resolve, By DLP Policy and more. You should customize this view to work with your practices.
The package also comes with optimization suggestions per workload. Exchange, SharePoint, OneDrive for Business, Endpoint, Teams, and OCR.
You may select to use Copilot to summarize your incidents and provide next steps. This is a sample of output from Copilot summarizing an incident. The steps for implementing and tuning Security Copilot can be found in the Guidance Playbook for Security Copilot.
Events
As part of the technical documentation, there is guidance to set up additional event collection. If you are a decision-maker, consider if you want to set up alerts based on the views you have in Power BI. It is highly likely that a rule can be set up to trigger flows where you need to be involved. Here is the documentation for Microsoft Defender XDR Create and manage custom detection rules in Microsoft Defender XDR | Microsoft Learn.
Copilot for security can be used to draw conclusions from all relevant events associated with an incident and provide suggestions for next steps. This is a sample where it uses the corporate policy document from Microsoft Azure AI as well as Microsoft Defender incidents to suggest next steps. You can also use the upload feature Upload a file | Microsoft Learn.
Here is another example where you may want to confirm if content has been touched by a compromised account.
Posts part of this series.
Continue reading...
Prerequisites
- License requirements for Microsoft Purview Information Protection depend on the scenarios and features you use. To understand your licensing requirements and options for Microsoft Purview Information Protection, see the Information Protection sections from Microsoft 365 guidance for security & compliance and the related PDF download for feature-level licensing requirements. For the best experience, all Microsoft Defender products should be enabled.
- Follow the step-by-step guide to set up the reporting found here.
- The DLP incident management documentation can be found here.
- Install Power BI Desktop to make use of the templates Downloads | Microsoft Power BI
Overview and vision
The vision with this package is that it will allow for faster and more integrated communication between leaders and the cyber operations teams in a context that allows for effective collaboration. The structure can help present the positive result of attacks prevented by measuring distance to corporate secrets. It can also help you provide a view of the impact of an incident by listing the sensitive systems and content the attackers have accessed.
Based on the information you may also identify patterns where you need to improve your security posture based on sensitive content and systems. This makes improvement projects more connected to company value. Cybersecurity is fast pacing so being able to understand the future is just as important as current state. With this data available you should be able to input details about future threats and project their impact. As part of this we are also creating Security Copilot skills to help identify future risks.
Step-by-step guided walkthrough
Principles for the dashboards
When opening the Power BI view whether it is from a web-based version or from Power BI desktop you will find unique users and unique devices. These are user accounts and devices that have had at least one security incident flagged in Microsoft Defender Portal and have accessed sensitive information. Organizations may select to filter these based on incident flags, the type of incident etc. how to achieve this is outlined in the implementation guide.
Let us have a look at the base elements in the CISO, CCO view.
- These are the default KPI views, you define a target for how much sensitive data can be accepted to be touched by compromised devices or users.
- This is the view of the incidents showing the classification and type of attack. This view may be changed to be based on tags or other fields that instructs on what can be done to mitigate future attacks.
- The number of compromised users and devices that have accessed sensitive content.
- The count and types of sensitive content accessed by the compromised systems.
The core rule for what is shown is that sensitive content has been touched by a compromised system or account. A compromised system or account that has not accessed any sensitive content will not be shown. The only exception is the Operational scope pages more detail later.
Board level sample data.
The first version has four risk dimensions,
- Legal Compliance, you should tweak this view to be centered around your regulatory obligations. The base report shows Credit card and end-user identifiable as an example. A suggestion is that you select the applicable sensitive information types, and group them under a regulator name (Like SEC, FDA, FCC, NTIA, FCA etc..). How to achieve this is outlined in the implementation guide. You may also update the KPI graph to align better with the objectives you have as an organization. A click on the department will filter the content across the page.
- Trust Reputation, the standard setup of this report is to show privacy-related data. The impact of having customer data leaking is devastating to the Trust customers have for the organization. You can configure the report to be centered around the privacy data that is most applicable to your business.
- Company and Shareholder Value is centered around the organization's own secrets. Secret drawings, source code, internal financial results dashboards, supply chain information, product development, and other sensitive information. The dashboard is built on a few core components.
- Access to content labeled as Sensitive from compromised.
- Update this diagram to only reflect the sensitivity labels with high impact to the business, we will only show access made by compromised accounts.
- Access to mission-critical systems from compromised.
- This is based on connections to URL’s or IP addresses that host business sensitive systems. This should come from the asset classification already made for critical systems.
- Access to Sensitive content from compromised.
- This should be the core Sensitive information types, fingerprints, exact data matches that directly can impact the valuation of the organization.
- Access to content labeled as Sensitive from compromised.
The KPI diagram should be updated to a target that makes sense to the core security projects run by the organization.
- Operational scope provides your organization with information about where Sensitive information is processed. Failing to process at the appropriate location may directly impact whether an organization is allowed to operate in specific markets or not. This report can also be used for restructuring the company and other actions to keep the company competitive while still staying in compliance with regulations.
With Security Copilot you can get this type of detail as well. It will help you with the contextual detail. Here is one example of a custom sensitive information type. The sub bullets are departments.
There is also a view included for the use of Sensitivity labels.
- The CISO view contains more detail than the Board reports as outlined initially in this post. This is the Company & Shareholder Value view. Based on the implementation guide this view can be customized to meet the needs of your organization. But based on this you may feel that more detail is needed. This leads to the detail view.
- Account Detailed Data view provides the next level of detail.
- In the green box you will find all the users with incidents, where you can learn more about threat actors, threat families etc… as part of the implementation guide you can learn how to add additional fields such as tags and type.
- In the red box you will find information about the actual documents and information that the user has been accessing.
Let’s use this sample where we pair the usage with Copilot for Security. Let us say that one of the object names is listall.json. And I want to get all the information surrounding that file.
Or you may have an e-mail subject that you are concerned about.
The information shared is to provide you with an idea of how to get started. Consider adding actual monetized impact on events across the system. Both those that were avoided and those that had a negative impact.
Improvement Project reporting
For data-driven feedback on the impact of improvement projects, we have a few sample dashboards to get you started. They are there to allow you to see the art of the possible. The rich data that is available from the system will in many cases allow you to build your own data-driven dashboards to show progress. The samples that are available is Document KPI, Oversharing SharePoint, Email KPI, Content upload, Operational Scope, and Operational scope classified content.
Below is a sample dashboard that displays the number of protected versus unprotected document operations across the organization. E.g. which ones are sensitivity labeled and which ones are not. Follow the technical guidance for setting this up properly.
This example provides an overview of the suppliers being used to access sensitive content. This is based on the processes, you may select to do something similar based on the IP tags and ranges and access to sensitive content and systems.
This example contains details about how credential data is being processed across the organization. To capture the All Credential Types you need to enable a policy for all workloads including endpoint.
Incident reporting and progress
The incident reporting and progress view provides insights into the analyst process. It provides the overall efficiency metrics and measures to gauge the performance. It provides incident operations over time by different criteria, like severity, mean time to triage, mean time to resolve, By DLP Policy and more. You should customize this view to work with your practices.
The package also comes with optimization suggestions per workload. Exchange, SharePoint, OneDrive for Business, Endpoint, Teams, and OCR.
You may select to use Copilot to summarize your incidents and provide next steps. This is a sample of output from Copilot summarizing an incident. The steps for implementing and tuning Security Copilot can be found in the Guidance Playbook for Security Copilot.
Events
As part of the technical documentation, there is guidance to set up additional event collection. If you are a decision-maker, consider if you want to set up alerts based on the views you have in Power BI. It is highly likely that a rule can be set up to trigger flows where you need to be involved. Here is the documentation for Microsoft Defender XDR Create and manage custom detection rules in Microsoft Defender XDR | Microsoft Learn.
Copilot for security can be used to draw conclusions from all relevant events associated with an incident and provide suggestions for next steps. This is a sample where it uses the corporate policy document from Microsoft Azure AI as well as Microsoft Defender incidents to suggest next steps. You can also use the upload feature Upload a file | Microsoft Learn.
Here is another example where you may want to confirm if content has been touched by a compromised account.
Posts part of this series.
- Cyber Security in a context that allows your organization to achieve more
Cybersecurity in a context that allows your organization to achieve more - Security for Copilot Data Security Analyst plugin Learn how to customize and optimize Copilot for Security with the custom Data Security plugin
- How to build the Microsoft Purview extended report experience How to build the Microsoft Purview extended report experience
Continue reading...