This blog post summarizes my investigation around DLP event data, where it can be found and is there any differences between solutions (Sentinel vs O365 Management Activity API).
Before Azure Sentinel, the Log Analytics had an O365 solution that you could install to the Log Analytics workspace to get O365 events to the workspace (This solution will be deprecated in the near future). Now, you can ingest O365 data to Azure Sentinel with an O365 data connector.
Background – What’s Data Loss Prevention? (docs.microsoft.com)
Data Loss Prevention (DLP) is an O365 feature in the O365 Security & Compliance Center, which is used to identify, monitor, and automatically protect sensitive information across Office 365. With the policies, you can perform the following activities (detailed information is described in here):
- Identify sensitive information across many locations, such as Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams
- Prevent the accidental sharing of sensitive information.
- Monitor and protect sensitive information in the desktop versions of Excel, PowerPoint, and Word
- Help users learn how to stay compliant without interrupting their workflow
- View DLP reports showing content that matches your organization’s DLP policies
Where Is The DLP Audit Data?
Data Loss Prevention audit data can be found from different places in the ecosystem:
- Security and Compliance Center – UAL logs
- Also through PowerShell cmdlets
- Office 365 Management Activity API
DLP Audit Data Schema
The reference link to the DLP schema can be found from docs.microsoft.com.
DLP schema description (docs.microsoft.com):
DLP events are available for Exchange Online, SharePoint Online, and OneDrive For Business. Note that DLP events in Exchange are only available for events based on unified DLP policy (e.g. configured via Security & Compliance Center). DLP events based on Exchange Transport Rules are not supported.
DLP (Data Loss Prevention) events will always have UserKey=”DlpAgent” in the common schema. There are three types of DlpEvents that are stored as the value of the Operation property of the common schema:
- This indicates a rule was matched. These events exist in both Exchange and SharePoint Online and OneDrive for Business.
- These only exist in SharePoint Online and OneDrive for Business, and indicate a previously applied policy action has been “undone” – either because of false-positive/override designation by the user, or because the document is no longer subject to policy (either due to policy change or change to content in the doc).
- These only exist in SharePoint Online and OneDrive for Business and indicate a false positive designation but no action was “undone.”
How to Get DLP Data To Sentinel?
First thought was, that I need to query the O365 DLP data from the O365 Management Activity API to Logic Apps and then send it to Log Analytics Data Collector API but it was much easier than I thought.
DLP event data is included in the native Azure Sentinel O365 data connector. With the connector, audit data is streamed from O365 to Azure Sentinel Log Analytics workspace.
The DLP activity data based on operation property is found from Azure Sentinel (Log Analytics workspace) OfficeActivity data table. This means that advanced analytic rules can be created from the data, for example, alerts when the DLP match has been made.
SharePoint & OneDrive Azure Workbook can be useful when investigating DLP data.
Azure Sentinel DLP alert
Analytics rules can be created based on the data you have in the underlying Log Analytics. In this example, I created simple rule which fires an alert when Data Loss Prevention match has been detected.
Any difference in DLP Audit Data Between Services?
I took DLP audit data from O365 Management Activity API and I found that there are some differences in the audit event data between solutions.
I created the O365 Management Activity API subscription to contain DLP.All content type (contains only DLP events for all workloads) and made a comparison between data in Sentinel. Instructions how to manage O365 Management Activity API are found from this link.
All DLP related events are found from both, O365 Management Activity API and Azure Sentinel underlying Log Analytics workspace.
O365 Management Activity API provides richer information from the event itself. It contains all attributes from the event and Sentinel (LA workspace) only the most common ones.
During tests, the Cloud App Security raised alerts based on a file containing PII detected in the cloud (built-in DLP engine).
This was a quick post about investigation results between DLP audit events in O365 Management Activity API and in Azure Sentinel.
If Azure Sentinel is in use it would be a natural place to raise an alert and continue the actual investigation in O365 Security Center.