Jump to content

How to build the Microsoft Purview extended report experience


Recommended Posts

Guest Jon Nordström
Posted

This is a step-by-step guided walkthrough of the extended report experience.

 

 

 

Prerequisites

 

  • License requirements for Microsoft Purview Information Protection depend on the scenarios and features you use. To understand your licensing requirements and options for Microsoft Purview Information Protection, see the Information Protection sections from Microsoft 365 guidance for security & compliance and the related PDF download for feature-level licensing requirements.
  • Before you start, all endpoint interaction with Sensitive content is already being included in the audit logging with Endpoint DLP enabled. For Microsoft 365 SharePoint, OneDrive Exchange, Teams you can enable policies that generate events but not incidents for important sensitive information types.
  • Install Power BI Desktop to make use of the templates Downloads | Microsoft Power BI

 

 

 

Step-by-step guided walkthrough

 

In this guide, we will provide high-level steps to get started using the new tooling.

 

  1. Get the latest version of the report that you are interested in from here. In this case we will show the Board report.
  2. Open the report if Power BI Desktop is installed it should look like this.

 

[ATTACH type=full" alt="JonNordstrm_84-1713948816198.png]63472[/ATTACH]

 

 

 

  1. You may have to approve the use of ArcGIS Maps if that has not been done before.

 

[ATTACH type=full" alt="JonNordstrm_85-1713948816203.png]63473[/ATTACH]

 

 

 

  1. You must authenticate with https://api.security.microsoft.com, select Organizational account, and sign in. Then click Connect.

 

[ATTACH type=full" alt="JonNordstrm_86-1713948816206.png]63474[/ATTACH]

 

 

 

  1. You will also have to authenticate with httpps://api.security.microsoft.com/api/advancedhunting, select Organizational account, and sign in. Then click Connect.

 

[ATTACH type=full" alt="JonNordstrm_87-1713948816208.png]63475[/ATTACH]

 

 

 

  1. The system will start to collect the information from the built-in queries. Please note that this can take quite some time in larger environments.

 

[ATTACH type=full" alt="JonNordstrm_88-1713948816210.png]63476[/ATTACH]

 

 

 

  1. When the load completes you should see something like this, in the Legal and Compliance tab. The report provides details on all content that is matching, built-in, and custom Sensitivity types, or any that have been touched by any of the compromised User accounts or Devices in the red box. The report needs to be updated.

 

 

 

[ATTACH type=full" alt="JonNordstrm_89-1713948816249.png]63477[/ATTACH]

 

 

 

7.1 All the reports have diagrams to measure KPI’s that measure the progress of improvement projects. Sample above is in the grey box, where it is measured based on how much sensitive content is accessed by compromised users or devices. This should be adjusted to be based on what resonates with your key objectives.

 

7.2 The green boxes used for the KPI measurements come from MaxDataSensitiveRisk, MaxDataDevice, MaxDataUser. You can either add a new value or update the current value.

 

 

[ATTACH type=full" alt="JonNordstrm_90-1713948816251.png]63478[/ATTACH]

 

 

7.2.1 To update the current value by selecting Transform data.

 

 

[ATTACH type=full" alt="JonNordstrm_91-1713948816264.png]63479[/ATTACH]

 

 

7.2.2
Select Goals,
click on the
flywheel for Source.

 

 

[ATTACH type=full" alt="JonNordstrm_92-1713948816271.png]63480[/ATTACH]

 

 

7.2.3 You can now update the values that are stored in the template. If you want to use a different value, you can click the + sign to add additional columns.

 

 

[ATTACH type=full" alt="JonNordstrm_93-1713948816272.png]63481[/ATTACH]

 

 

7.2.4 When you have made the modifications click Close & Apply.

 

 

[ATTACH type=full" alt="JonNordstrm_94-1713948816273.png]63482[/ATTACH]

 

 

7.3 Update the blue box high-level description to match the content or replace it with something automatically generated by Copilot,
.

 

 

7.4 Based on the organization's requirements filter to only the required Sensitive information types.

 

 

[ATTACH type=full" alt="JonNordstrm_95-1713948816330.png]63483[/ATTACH]

 

 

7.5 The last part that you may want to update is the incident diagrams. By default, they show the severity and type of attack for incidents linked to access to sensitive data. You may want to map this to incident Tags or other fields based on your requirements.

 

 

[ATTACH type=full" alt="JonNordstrm_96-1713948816334.png]63484[/ATTACH]

 

 

 

  1. The Trust & Reputation got a similar build as the Legal and compliance scorecard. Update it based on the requirements for your use case. The initial idea for this report is to show privacy-related data. The impact of having customer data leaking is devastating for the Trust customers have for the organization. Other reputational data points should be added as needed.

 

 

 

[ATTACH type=full" alt="JonNordstrm_97-1713948816348.png]63485[/ATTACH]

 

 

 

  1. The Company & Shareholder Value contains some more information. The goal is to customize this to be bound to the organization's secrets. Secret drawings, source code, internal financial results dashboards, supply chains, product development and other sensitive information. You may want to filter down to EDM, Fingerprint type SITs and specific trainable classifiers for this report.

 

 

 

[ATTACH type=full" alt="JonNordstrm_98-1713948816375.png]63486[/ATTACH]

 

 

 

9.1 To receive the accurate mapping of the labelled content you need to update the MIPLabel table with your label names and GUIDs.

 

 

[ATTACH type=full" alt="JonNordstrm_99-1713948816376.png]63487[/ATTACH]

 

 

 

9.1.2 Select
Transform data.

 

 

[ATTACH type=full" alt="JonNordstrm_100-1713948816388.png]63488[/ATTACH]

 

 

 

9.1.3 Select
MIPLabel,
click on the
flywheel for Source.

 

 

[ATTACH type=full" alt="JonNordstrm_101-1713948816395.png]63489[/ATTACH]

 

 

 

9.1.4 Connect to SCC PowerShell (Connect-IPPSsession)

 

-Run get-label | select immutableid, DisplayName

 

-Copy the Output

 

 

[ATTACH type=full" alt="JonNordstrm_102-1713948816397.png]63490[/ATTACH]

 

 

 

 

 

9.1.5 You can now update the values that are stored in the template. This ensures that the name mapping of labels works as expected.

 

 

[ATTACH type=full" alt="JonNordstrm_103-1713948816400.png]63491[/ATTACH]

 

 

 

9.1.6 The next step is to update the Access to mission-critical systems from compromised devices. Select the
SensitiveSystems query
. Then click
Advanced Editor

 

 

[ATTACH type=full" alt="JonNordstrm_104-1713948816426.png]63492[/ATTACH]

 

 

 

9.1.7 Update the list of URLs that contain a system that has high business impact if an attacker has been accessing it. It is important to only use single quotes. Right now, there is no straightforward way to capture the URLs, so we need to do it manually. Once complete click Done.

 

 

[ATTACH type=full" alt="JonNordstrm_105-1713948816451.png]63493[/ATTACH]

 

 

 

9.1.8 When completed, click Close & Apply

 

 

[ATTACH type=full" alt="JonNordstrm_106-1713948816453.png]63494[/ATTACH]

 

 

 

 

 

  1. If the previous steps have been completed the tab for operational scope should be ok. This view provides the organization with information about where Sensitive information is processed. This can help the organization to identify from where the content is being processed by which legal entity and function etc…. Failing this may in fact directly impact if an organization is allowed to operate in a specific market or not. Not knowing this have impact on restructuring the company and other actions to keep the company competitive.

 

[ATTACH type=full" alt="JonNordstrm_107-1713948955268.png]63495[/ATTACH]

 

 

 

10.1 We have one additional tab that does this based on Sensitivity labels. Called
Operational Scope Classified Content.

 

 

[ATTACH type=full" alt="JonNordstrm_108-1713948955298.png]63496[/ATTACH]

 

 

 

11. The KPI tabs are more condensed and should be customized to fit with the context of the organization and the leaders to which the information is presented. The key thing is to communicate the information in a context that resonates.

 

 

[ATTACH type=full" alt="JonNordstrm_109-1713948955360.png]63497[/ATTACH]

 

 

 

11.1 You will want to update the incident view highlighted in red, switch it to something that works with the audience, it may be one of the Tags or other detail. You also want to be very deliberate about which incidents should generate the data to be shown in this dashboard. One way is to use tags, you may elect to only show incidents that are tagged with PossibleBoard as an example. This may enhance the communication between security teams and the board. By bringing awareness to the analysts the importance of their work and direct correlation with organizational leadership.

 

 

[ATTACH type=full" alt="JonNordstrm_110-1713948955394.png]63498[/ATTACH]

 

 

 

11.2 In this sample we have Credit Card in Focus and End user Identifiable, you should replace this with regulator names and the associated sensitive information types. Like SEC, FDA, FCC, NTIA, FCA etc. change the name and update the sensitive information filter.

 

 

 

[ATTACH type=full" alt="JonNordstrm_111-1713948955396.png]63499[/ATTACH]

 

 

 

 

 

Additional reports that come with this package

 

We are shipping a few additional reports that can be used to gain further insights. The Project sample provides this view for label usage. You can modify the targets similarly to you did for the board report.

 

 

 

[ATTACH type=full" alt="JonNordstrm_112-1713948955405.png]63500[/ATTACH]

 

 

 

One additional tip for this report is that you can,

 

  1. Configure the “Maximum value” to be your target value, create the value in the Goals table.
  2. Set the “Target value” to the value you had over the past period 275 in the case above.

 

[ATTACH type=full" alt="JonNordstrm_113-1713948955406.png]63501[/ATTACH]

 

 

 

While the incident sample will provide views like this. The incident reporting and progress view provides insights into the analyst process. It provides the overall efficiency metrics and measures to gauge the performance. It provides incident operations over time by different criteria, like severity, mean time to triage, mean time to resolve, DLP Policy, and more. You should customize this view to work with your practices.

 

 

 

[ATTACH type=full" alt="JonNordstrm_114-1713948955418.png]63502[/ATTACH]

 

 

 

The Incident view is by default 6 months while the event data is from the past 30 days. To increase the event data beyond 30 days you can use Microsoft Sentinel. If you on the other hand want to reduce the Incident window you can follow these steps.

 

  1. Go to transform data
  2. Select the Incident table, view settings by default you will see.

 

[ATTACH type=full" alt="JonNordstrm_115-1713948955418.png]63503[/ATTACH]

 

 

 

  1. Update this to 30 days by updating the value to this as an example.

 

[ATTACH type=full" alt="JonNordstrm_116-1713948955425.png]63504[/ATTACH]

 

 

 

4. = OData.Feed("
gt " & Date.ToText(Date.AddDays(Date.From(DateTime.LocalNow()),-30), "yyyy-MM-dd") , null, [implementation=2.0])

 

 

 

The report also has a per workload detailed view like this sample for Exchange Online. The report contains Exchange, SharePoint, OneDrive for Business, Endpoint, Teams and OCR.

 

 

[ATTACH type=full" alt="JonNordstrm_117-1713948955440.png]63505[/ATTACH]

 

 

 

 

 

Additional configuration to be made

 

This is required to capture sensitive information that is transferred in Exchange Online or SharePoint Online. Setup captures all DLP policies that do not have any action or raise any alerts. This is also important for the Copilot for Security functionality to work correctly.

 

  1. Create a custom policy.

 

[ATTACH type=full" alt="JonNordstrm_118-1713948955447.png]63506[/ATTACH]

 

 

 

  1. Name the policy based on your naming standard and provide a description of the policy.

 

[ATTACH type=full" alt="JonNordstrm_119-1713948955451.png]63507[/ATTACH]

 

 

 

  1. Select the workloads from where you want to capture sensitive data usage. For devices there is no need, devices are capturing all the sensitive data processing by default.

 

[ATTACH type=full" alt="JonNordstrm_120-1713948955457.png]63508[/ATTACH]

 

 

 

  1. Click next.

 

[ATTACH type=full" alt="JonNordstrm_121-1713948955459.png]63509[/ATTACH]

 

 

 

  1. Click Create rule.

 

[ATTACH type=full" alt="JonNordstrm_122-1713948955460.png]63510[/ATTACH]

 

 

 

  1. Provide a rule name and click Add condition, then click Content Contains

 

[ATTACH type=full" alt="JonNordstrm_123-1713948955464.png]63511[/ATTACH]

 

 

 

 

 

  1. Then click Sensitive info types, and select all the relevant Sensitive information types that you would like to capture for both internal and external processing. Note, do focus on the sensitive information types that are key to your operations (max 125 per rule). Then click Add, you can add your own custom SITs or make use of the built in SITs.

 

[ATTACH type=full" alt="JonNordstrm_124-1713948955478.png]63512[/ATTACH]

 

 

 

  1. If you want any other conditions to be true for generating signals like external communications add that condition. Next, ensure that no Action, User notifications, Incident reports or Use email incident reports… are turned on. They should all be turned off.

 

[ATTACH type=full" alt="JonNordstrm_125-1713949122686.png]63513[/ATTACH]

 

 

 

Setup the Power BI online view

 

Providing an online view of the data has several benefits. You can delegate access to the dashboard without delegating permissions to the underlying data set. You can also create queries that only show information for a specific division or market and only present that information to that specific market. You can set up a scheduled refresh to refresh the data without having to upload it again.

 

Follow these steps to set up the integration Create a Power BI report from Microsoft Sentinel data.

 

 

 

Posts part of this series

 

 

Continue reading...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...