Comments on: Monitoring Microsoft Information Protection with Microsoft Sentinel https://practical365.com/monitoring-microsoft-information-protection-with-microsoft-sentinel/ Practical Office 365 News, Tips, and Tutorials Sat, 17 Dec 2022 10:14:13 +0000 hourly 1 https://wordpress.org/?v=6.3.2 By: Thijs Lecomte https://practical365.com/monitoring-microsoft-information-protection-with-microsoft-sentinel/#comment-248503 Sat, 17 Dec 2022 10:14:13 +0000 https://practical365.com/?p=56393#comment-248503 In reply to Saleem.

Unfortunately, I don’t know if there is a way to translate id to name natively. I would recommend setting up a watchlist with the translation and using it in your queries.

]]>
By: Saleem https://practical365.com/monitoring-microsoft-information-protection-with-microsoft-sentinel/#comment-248053 Thu, 08 Dec 2022 14:45:53 +0000 https://practical365.com/?p=56393#comment-248053 How do we get Sensitivity Label name instead of SensitivityLabelId? What I am looking for is the report on label downgrade report for last 24 hours. Below my query but I need out the Label name as well.

CloudAppEvents
| where TimeGenerated > ago(24h)
| where ActionType contains “Sensitivity” or ActionType == “MipLabel”
| where RawEventData.Operation == “SensitivityLabelUpdated”
| where parse_json(tostring(RawEventData.SensitivityLabelEventData)).LabelEventType == 2
| extend OldSensitivityLabelId_ = tostring(parse_json(tostring(RawEventData.SensitivityLabelEventData)).OldSensitivityLabelId)
| extend ObjectId_ = tostring(RawEventData.ObjectId)
| extend SensitivityLabelId_ = tostring(parse_json(tostring(RawEventData.SensitivityLabelEventData)).SensitivityLabelId)
| extend ProcessName_ = tostring(parse_json(tostring(RawEventData.Common)).ProcessName)
| extend JustificationText_ = tostring(parse_json(tostring(RawEventData.SensitivityLabelEventData)).JustificationText)
| project format_datetime(TimeGenerated, ‘dd-MM-yyyy’), AccountDisplayName, ObjectId_, OldSensitivityLabelId_, SensitivityLabelId_, ProcessName_, JustificationText_

]]>
By: Naveeen https://practical365.com/monitoring-microsoft-information-protection-with-microsoft-sentinel/#comment-246901 Thu, 10 Nov 2022 13:13:37 +0000 https://practical365.com/?p=56393#comment-246901 Thanks, its really helpful. could you please share more Azure Sentinel monitoring rules for MIP?

]]>
By: Thijs Lecomte https://practical365.com/monitoring-microsoft-information-protection-with-microsoft-sentinel/#comment-244640 Wed, 12 Oct 2022 02:43:27 +0000 https://practical365.com/?p=56393#comment-244640 In reply to RF.

Billing in Microsoft Sentinel is based on the data you ingest and retain. When adding additional sources, your pricing will increase

]]>
By: RF https://practical365.com/monitoring-microsoft-information-protection-with-microsoft-sentinel/#comment-244233 Tue, 04 Oct 2022 23:06:26 +0000 https://practical365.com/?p=56393#comment-244233 Can you please elaborate on additional cost you mentioned above?

]]>
By: Thijs Lecomte https://practical365.com/monitoring-microsoft-information-protection-with-microsoft-sentinel/#comment-238642 Sat, 28 May 2022 13:02:14 +0000 https://practical365.com/?p=56393#comment-238642 In reply to Roop.

In the backend they will be the same, just setup a bit differently. Cloud App data also consists other data, outside of AIP, it includes everything from O365

]]>
By: Roop https://practical365.com/monitoring-microsoft-information-protection-with-microsoft-sentinel/#comment-238636 Fri, 27 May 2022 02:35:08 +0000 https://practical365.com/?p=56393#comment-238636 In reply to Thijs Lecomte.

May know what is the difference between AIP data and cloud app data both are collecting same log. Then why we need to use AIP

]]>
By: Thijs Lecomte https://practical365.com/monitoring-microsoft-information-protection-with-microsoft-sentinel/#comment-238613 Tue, 24 May 2022 19:31:17 +0000 https://practical365.com/?p=56393#comment-238613 In reply to Michael.

Correct, this is just another way to get the data. But nothing official (as it also has an additional cost)

]]>
By: Michael https://practical365.com/monitoring-microsoft-information-protection-with-microsoft-sentinel/#comment-238611 Tue, 24 May 2022 15:20:05 +0000 https://practical365.com/?p=56393#comment-238611 This is not the official replacement for AIP analytics, right?

]]>