Welcome to the second section of my SC-200 study guide. In this section I will go through the following content:
- Investigate and respond to alerts generated from Data Loss Prevention policies
- Investigate and respond to alerts generated from insider risk policies
And didn’t have time (space) to include the following:
- Identify, investigate, and remediate security risks by using Microsoft Defender for Cloud Apps
- Configure Microsoft Defender for Cloud Apps to generate alerts and reports to detect threats
And will be covering them in the next section, not to worry.
Table of Contents
Licensing for Purview
You can test out all the premium features of Microsoft Purview for free if you’re not an E5 customer but you try it out by utilizing the 90-day Purview solutions trial.
What you will get with the Trial?
- Audit (Premium) – Track and investigate more high-value, critical activities and retain audit logs for longer.
- Communication Compliance – Capture, triage, and take action on sensitive or inappropriate communications.
- Compliance Manager – Manage your compliance requirements with greater ease and convenience.
- Data Lifecycle Management – Use adaptive scopes to automate your retention policy coverage.
- Data Loss Prevention (DLP) -Control sharing and use of sensitive info on devices, apps, and services.
- eDiscovery (Premium) – Preserve, collect, and review content for litigation and internal investigations.
- Information Protection – Automatically identify, classify, and protect sensitive info wherever it travels.
- Insider Risk Management – Quickly identify, investigate, and take immediate action on insider risks.
- Records Management – Manage the classification, retention, and disposition of records in your org.
See more from the following article.
Investigate and respond to alerts generated from Data Loss Prevention policies
To generate alerts you need the following licensing models.
Licensing
- Single-event alert configuration: Organizations that have an E1, F1, or G1 subscription or an E3 or G3 subscription can create alert policies only where an alert is triggered every time an activity occurs.
- Aggregated alert configuration: To configure aggregate alert policies based on a threshold, you must have either of the following configurations:
- An A5 subscription
- An E5 or G5 subscription
- An E1, F1, or G1 subscription or an E3 or G3 subscription that includes one of the following features:
- Office 365 Advanced Threat Protection Plan 2
- Microsoft 365 E5 Compliance
- Microsoft 365 eDiscovery and Audit add-on license
Permissions
If you want to view the DLP alert management dashboard or to edit the alert configuration options in a DLP policy, you must be a member of one of these role groups:
- Compliance Administrator
- Compliance Data Administrator
- Security Administrator
- Security Operator
- Security Reader
To access the DLP alert management dashboard, you need the Manage alerts role and either of the following roles:
- DLP Compliance Management
- View-Only DLP Compliance Management
How to use the guided setup?
If not already setup, the easiest way is to use https://admin.microsoft.com/adminportal/home#/modernonboarding/mipsetupguide for the process.
What the guide does?
In this guide, you’ll complete the following information protection and DLP tasks:
- Verify your license and roles.
- Prepare your environment.
- Set up information protection labels.
- Set up DLP policies.
- Set up advanced configurations, like migrating policies, increasing and testing accuracy, protecting services, and expanding actions such as setting alerts, blocking features, and using encryption.
- Manage alerts and incidents.
And you if you don’t the needed licensing, it will guide you for needed steps.
Get your trial on keep on going
Once done you can can create DLP policies
How to create policies with Alerts?
Open DLP policies page from https://compliance.microsoft.com/datalossprevention?viewid=policies and create a new policy
Let’s try with GDPR policy
Choosing only Email
Once you go forward, you can create a new rule and add Alerts to it. We will select High and send alert to Admins.
You can also add thresholds or send every time alert is triggered and also notify via email message when it happens.
And now we have new rule that will every single time send an alert, add managed as CC when sending to gmail.com.
You audit, enable or leave the policies off but in this we don’t care about the mistakes made.
And it will tell you that you should enable Teams as location but we don’t need for now.
Sensitivity labels as enforcer
You can also define DLP policies to be enforced with Labeled content. When you assign labels they will trigger DLP enforcement in example for sharing the content outside of your tenant.
Trying it out
Let’s login as a user and send some super secret secrets to a gmail.com recipient.
Discovering those Alerts
In a sec, DLP alert will kick in and inform inside compliance portal that there is a match
And also inside Defender for Office 365 alerts page. AlexW, you got busted.
And also his manager was informed as CC, he is really exposed!
Compliance portal
Details of the alerts will show this
And inside event you will
Event details
Category | Property name | Description | Applicable event types |
---|---|---|---|
Event details | |||
Id | Unique ID associated with the event | All events | |
Location | Workload where the event was detected | All events | |
Time of activity | Time of the user activity that caused the DLP violation | All events | |
Impacted entities | |||
User | User who caused the DLP violation | All events | |
Hostname | Host name of the machine where the DLP violation was detected | Devices events | |
IP address | IP address of the machine | Devices events | |
File path | Absolute path of the file involved in the violation | SharePoint, OneDrive, and Devices events | |
Email recipients | Recipients of the email that violated the DLP policy | Exchange events | |
Email subject | Subject of the email that violated the DLP policy | Exchange events | |
Email attachments | Names of the attachments in the email that violated the DLP policy | Exchange events | |
Site owner | Name of the site owner | SharePoint and OneDrive events | |
Site URL | Full URL of the SharePoint or OneDrive site | SharePoint and OneDrive events | |
File created | Time of file creation | SharePoint and OneDrive events | |
File last modified | Time of the last modification of the file | SharePoint and OneDrive events | |
File size | Size of the file | SharePoint and OneDrive events | |
File owner | Owner of the file | SharePoint and OneDrive events | |
Policy details | |||
DLP policy matched | Name of the DLP policy that was matched | All events | |
Rule matched | Name of the DLP rule in the DLP policy that was matched | All events | |
Sensitive info types detected | Sensitive information types that were detected as a part of the DLP policy | All events | |
Actions taken | Actions taken as a part of the matched DLP policy | All events | |
User overrode policy | Whether the user overrode the policy through the policy tip | All events | |
Override justification text | Justification provided to override the policy tip | All events |
Continuing with the portal
And when you click on the event, you will even more on what happened and that the Manager was informed as CC like planned.
You can downloaded the message, see classifiers or even the raw Metadata of the email.
Defender for Office365 portal
You can see the following inside Defender. DlpAgent is giving the information was triggered the alert and you will see the location it was triggered from.
Also the category and possible techniques if used. In this case it was only an email.
And again (like in the first section) you can assign it to an existing incident or create a new one
And you can also open the user information page
In the user page you can all the triggered alerts and the timeline
You can either Confirm that the user is compromised or generate different actions, I will get back to this menu in the following sections, no worries.
Incidents
You will see incidents under Defender portal
Can assign them to a team member
And you can also classify them
That’s it, then to Insider risks
Investigate and respond to alerts generated from insider risk policies
Licensing
Microsoft Purview Insider Risk Management enables you to identify, look into, and respond to possibly harmful and unintentional acts in your company. This reduces internal risks.
Insider risk management is available in the following subscriptions:
- Microsoft 365 E5/A5/F5/G5 subscription (paid or trial version)
- Microsoft 365 E3/A3/F3/G3 subscription + the Microsoft 365 E5/A5/F5/G5 Compliance add-on
- Microsoft 365 E3/A3/F3/G3 subscription + the Microsoft 365 E5/A5/F5/G5 Insider Risk Management add-on
- Office 365 E3 subscription + Enterprise Mobility and Security E3 + the Microsoft 365 E5 Compliance add-on
Permissions
If you don’t have permissions in place, you will have to enable them first. Here is a list of the permissions.
And here is an detailed permissions list
Add users to the Insider Risk Management role group
Complete the following steps to add users to this role group:
- Sign into Microsoft Purview compliance portal using credentials for an admin account in your Microsoft 365 organization.
- Select Permissions in the left nav, and select Roles under the Microsoft Purview solutions list.
- Select the Insider Risk Management role group, then select Edit.
- Select the Choose users tab, then select the checkbox for all users you want to add to the role group.
- Choose Select, then Next.
- Select Save to add the users to the role group. Select Done to complete the steps.
Enable audit logging
You need to enable Audit logging if not already enabled.
If you don’t enable correct permissions, you won’t see all the menus
When assign the correct permissions, you will see more
If you want to give permissions to users when testing the features without seperation of their duties, you can use this group to give all the permissions at once.
How to setup Insider risks?
You have these policies in your disposal, note the prerequisites
And you can prioritize content if needed
I will choose on file extensions for my test and with the following limitations.
- Each extension can’t exceed 20 characters
- These characters aren’t supported: / \ : * ? < > |
- Preceding the extension name with a period is optional. For example, you can enter ‘.exe’ or ‘exe’.
And Alerts will be triggered every time
And I will attach the DLP policy that we used in the previous section
You could also turn on Indicators for ex-filtration activities
But if you don’t enable Indicators, you won’t get any Alerts from Insider risks, only for the DLP policy.
When users perform activities related to indicators, policies collect signals and trigger alerts. Insider risk management collects signals and creates alerts using various types of events and indicators.
I will add Sending email with attachments outside as an threshold from 1 to 3
And the final solution will look like this
Adaptive protection (preview)
Adaptive versions is still in preview, so there could be changes to it.
Adaptive Protection uses machine learning models for insider risk management to establish and analyze risk levels, and then dynamically assigns suitable DLP rules to users depending on those risk levels. With this new capability, static DLP rules become user context-based and adaptive, ensuring that only high-risk users are subject to the most effective policy, such as banning data sharing. While low-risk users can continue to work productively.
With Adaptive protection you can have the following benefits:
- Context-aware detection. Helps identify the most critical risks with ML-driven analysis of both content and user activities.
- Dynamic controls. Helps enforce effective controls on high-risk users while others maintain productivity.
- Automated mitigation. Helps to minimize the impact of potential data security incidents and reduce admin overhead.
If you press Quick setup, it can take up to 72 hrs for the Insider risk setting to be applied.
You can define Insider risk policy and Alert levels for different users
And you create your own DLP policies or use the automatically generated ones
And finally enable the protection
See more here
And a short introduction video
Alerts
You can see the alerts under under the Insider risk page or at Defender for Office 365 portal
When you open the alerts page, you will see the Policy that triggered the alert and status
When you open the Alert, you will see all the activities it has and create a case out of it
To dig a little bit deeper, you will see the separate activities
Under user activity you can see timeline and details on the activities
And you can also see the user timeline and triggered events under users menu
And if we discover the events more closely, we can see what the user actions were
And the email details
On SPO side we can see that the users has deleted files and it triggered another event
You can also export the Alerts with Management Activity APIs
See more on the Management Activity APIs
Creating a case
Once you verified the alerts, you can create a case out of them
When the case is created, you will have the following actions at your disposal
You can escalate it for for investigation, the investigation will be handled by eDiscovery admins
You can see the Alerts from DLP under Defender for Office 365 portal but nothing considering the Insider risks as those will be handled under Compliance portal
Scanning for risks
You can initiate an AI based scan for risks inside your tenant, just have to wait. Insider risk aren’t the quickest features. Like for the scan it could easily take couple of days.
Retention
The cases also have retention times for remove old alerts and content
Item | Retention/Limit |
---|---|
Alerts with Needs review status | 120 days from alert creation, then automatically deleted |
Active cases (and associated artifacts) | Indefinite retention, never expire |
Resolved cases (and associated artifacts) | 120 days from case resolution, then automatically deleted |
Maximum number of active cases | 100 |
User activities reports | 120 days from activity detection, then automatically deleted |
Forensics evidence (preview)
Security teams must have visual context during forensic investigations to gain a deeper understanding of potentially problematic security-related user activities. Forensic evidence enables customizable visual activity capturing across devices with customizable event triggers and built-in user privacy protection controls to help your organization better mitigate, comprehend, and react to potential data risks like unauthorized data ex-filtration of sensitive data.
Closure
In the first part we discover the different aspects of investigation and remediation. Some things to remember for the test.
DLP
- What licensing and permissions are needed for Purview?
- How to create policies with Alerts?
- How to use Sensitivity labels as enforcer?
- What are the details for the events?
- How you see the DLP alerts inside Defender for Office 365 portal and what are the actions and classifications you can assign for them?
Insider risks
- What permissions are needed for Insider risks?
- Prerequisites like licensing and Audit logs
- How you can enable DLP policies for Risk policies?
- How to investigate alerts and create cases from them? How to discover the activities under alerts?
Hopefully you found this useful, then to the next one with the following topics:
- Identify, investigate, and remediate security risks by using Microsoft Defender for Cloud Apps
- Configure Microsoft Defender for Cloud Apps to generate alerts and reports to detect threats