Guided walkthrough of the Microsoft Purview extended report experience

This is a step-by-step guide to the Microsoft Purview extended reporting environment and how it can help you understand your reporting environment in your organization. Address cybersecurity risks in a context that enables you to achieve more. Focus on information and organizational context to reflect the real-world impact/value of cyber investments and incidents.

Prerequisites

• Licensing requirements for Microsoft Purview Information Protection vary depending on the scenarios and features you use. To understand licensing requirements and options for Microsoft Purview Information Protection, see: Information Protection In the section Microsoft 365 Guidance for Security and Compliance and related Download PDF For feature level licensing requirements, you must enable all Microsoft Defender products for the best experience.
• Set up your report with our step-by-step guide. Found here.
• The DLP incident management document is as follows: Found here.
• To use the template, install Power BI Desktop. Download | Microsoft Power BI

Overview and Vision

The vision of this package is to enable faster, more integrated communication between leaders and cyber operations teams in a context that enables effective collaboration. This structure can help measure the distance to corporate secrets, thereby demonstrating positive outcomes of prevented attacks. It can also help demonstrate the impact of incidents by listing the sensitive systems and content accessed by attackers.

Based on the information, we can also identify patterns that need to improve our security posture based on sensitive content and systems. This makes improvement projects more aligned with company values. Cybersecurity is moving fast, so understanding the future is just as important as the present. This data should allow us to gain insight into future threats and predict their impact. As part of this work, we are also building Security Copilot technology to help identify future risks.

Step-by-step guide walkthrough

Dashboard Principles

When you open a Power BI view in the web-based version or Power BI Desktop, you see unique users and unique devices. These are user accounts and devices that have been flagged for one or more security incidents in the Microsoft Defender Portal and have accessed sensitive information.. Organizations can choose to filter this based on incident flags, incident types, etc. How to achieve this is described in the implementation guide.

Let’s look at the basic elements from a CISO, CCO perspective.

1. This is the default KPI view and defines the goal of how much sensitive data a compromised device or user has access to.
2. This is an incident view that shows the classification and type of attack. This view can be changed based on tags or other fields that indicate what can be done to mitigate future attacks.
3. The number of compromised users and devices that accessed sensitive content.
4. The number and type of sensitive content accessed by the compromised system.

The core rule of thumb for what is displayed is that sensitive content is affected by compromised systems or accounts. Compromised systems or accounts that did not access sensitive content are not displayed. The only exception is the Operational Scope page, which is explained in more detail later.

Board level sample data.

The first version has four risk dimensions:

• Legal complianceThis view should be tailored around regulatory obligations. The default report shows credit card and end-user identification as examples. The suggestion is to select the relevant sensitive information types and group them by regulatory agency name (e.g. SEC, FDA, FCC, NTIA, FCA, etc.). How to achieve this is described in the implementation guide. You can also update the KPI graph to better align with your organization’s goals. Clicking on a department will filter the content across the page.

• Trust ReputationThe default setting for this report is to display privacy-related data. The impact of a customer data breach can be devastating to your organization’s customer trust. You can configure your report around the privacy data that best suits your business.

• Company and shareholder value It centers around the organization’s secrets. Secret drawings, source code, internal financial results dashboards, supply chain information, product development, and other sensitive information. The dashboard is built with a few key components.
  • Content marked as sensitive due to infringement is inaccessible.
    • We’ve updated this diagram to reflect only the sensitivity labels that have a significant impact on your business. It only shows accesses made by compromised accounts.
  • Access mission-critical systems while compromised.
    • This is based on connections to URLs or IP addresses that host business-sensitive systems. This should come from the asset classifications already created for critical systems.
  • Sensitive content is inaccessible due to a breach.
    • This should be a core sensitive information type, fingerprint, exact data match that can directly impact the organization’s valuation.

The KPI diagram should be updated with objectives appropriate to the core security projects your organization operates.

• Scope of operation Provides organizations with information about where sensitive information is processed. Failure to do so in the appropriate location can have a direct impact on whether the organization can operate in a particular market. This report can also be used to restructure the company and take other steps to remain competitive while remaining compliant.

Security Copilot also gives you these types of details. It helps with contextual details. Here is an example of a custom sensitive information type. The subheadings are departments.

Also included is a view for using sensitivity labels.

• The CISO view is more detailed than the board report that was initially described in this post. It is a company and shareholder value view. Following the implementation guide, this view can be customized to meet the needs of your organization. However, you may feel that you need more detail. This leads to the detailed view.

• Viewing Account Detail Data provides details on the following steps:
  • In the green box, you can find all users who have had an incident, and learn more about the threat actor, threat family, etc. As part of the implementation guide, you can also learn how to add additional fields such as tags and types.
  • The red box provides information about the actual documents and information the user accessed.

Let’s use this sample to pair usage with Copilot for Security. Let’s say one of the object names is listall.json, and I want to get all the information surrounding that file.

Or maybe there’s an email subject line that concerns you.

The information shared is intended to give you an idea of ​​how to get started. Consider adding real monetized impact to events throughout your system, both those that are avoided and those that have negative impacts.

Improvement Project Report

For data-driven feedback on the impact of your improvement projects, we provide a few sample dashboards to get you started. These dashboards give you a taste of what’s possible. With the wealth of data provided by the system, you can often build your own data-driven dashboards to show your progress. Samples provided include Document KPIs, SharePoint Oversharing, Email KPIs, Content Uploads, Operational Scope, and Operational Scope Classification Content.

Below is a sample dashboard that shows the number of protected and unprotected document actions across your organization, including which ones are labeled with sensitivity and which ones are not. Follow the technical guidance to set this up correctly.

This example provides an overview of a vendor that is used to access sensitive content. It is process-based and can be used to select similar actions based on IP tags and ranges and access to sensitive content and systems.

This example includes details on how credential data is handled across the organization. To capture all credential types, you must enable the policy for all workloads, including endpoints.

Incident Reporting and Progress

Incident reporting and progress views provide insight into the analyst process. Metrics that measure overall efficiency and performance. Provides incident operations over time based on various criteria such as severity, mean time to triage, mean time to resolution, DLP policy, etc. You should customize this view to work for your practice.

The package also provides optimization suggestions per workload: Exchange, SharePoint, OneDrive for Business, Endpoint, Teams, and OCR.

You can use Copilot to summarize incidents and provide next steps. This is a sample output of an incident summarized in Copilot. Steps to implement and tune Security Copilot can be found in the Security Copilot guidance playbook.

event

There are instructions on how to set up additional event collection as part of the technical documentation. If you are a decision maker, consider setting up alerts based on views in Power BI. You will likely set up rules that trigger flows that need to be engaged. Here is the documentation for Microsoft Defender XDR: Create and manage custom detection rules in Microsoft Defender XDR | Microsoft Learn.

Copilot for Security can be used to draw conclusions from all relevant events related to an incident and provide suggestions for next steps. This is a sample that uses corporate policy documents from Microsoft Azure AI and Microsoft Defender incidents to suggest next steps. You can also use the upload feature. Upload a File | Microsoft Learn.

Here are other examples where you might want to check if content from a compromised account was affected:

This post is part of a series.