AzureIP, Log Analytics and Windows Defender ATP

Posted by

Knowing where sensitive information resides is important to any organisation. Azure Information Protection can provide you with that insight using either the Azure Information Protection Scanner or the Cloud App Security integration.

But files are also stored on devices themselves. And these might be classified as-well. Until now, administrators did not have an overview of these files. But with the new Windows 10 update (1809) you can now create that overview.

What do you need?

Before getting your hopes up, there are some pre-requisites to this. For the functions used in this blog, you will need:

  • Workstation with Windows 10 with a minimum build of 1809;
  • Windows Defender Advanced Threat Protection (Windows Defender ATP) – and applied to end-points;
  • Azure Information Protection integration feature;
  • Azure Log Analytics for Azure Information Protection.

So be prepared to invest in some licenses 🙂

High level overview

From a high level, the functionality is relatively easy. Azure Information Protection uses an Azure Log Analytics workplace to store information on sensitive data, labels and more.

Windows Defender ATP is used to scan the Windows 10 machines. Using the integration features (see below) any information regarding Azure Information Protection is sent to Log Analytics.

To enable this in Windows Defender ATP, just go to Settings | Advanced Features | Azure Information Protection.

Data discovery dashboard

When this is set-up, you will be able to review the data on devices. Let’s take a look. The dashboard shows you the locations which have been scanned. Please note: if you have the Azure Information Protection Scanner up-and-running, you’ll also see those repositories here. Cool stuff! In this case, I only have one end-point which is connected to Windows Defender ATP.

When opening the end-point, you’ll see the discovered files. These also include some metadata like the modifier of the file, the label and the protection level. It does not discriminate with locations – even the recycle bin and temporary files are part of the overview.

When you select a document, you get some more details.

Log Analytics

If you want, you can get more detailed information. You will need to delve deep into log analytics itself. When you open the workspace, you can run you’re own query against the data. For data on Azure Information Protection you’ll need to go to Custom Logs | InformationProtectionLogs_CL. Have fun, this is for the enthusiast only 🙂

All-in-all, this is great stuff. It does require a lot of pre-requisites. And there’s still some quirks. For example: my sensitivity labels from Office 365 were not immediately detected (even though these were published and part of an Azure Information Protection policy).

If you need some more information; This Microsoft blog describes the integration is some more detail.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s