Share via

Need kql to query purview sensitive, not-encrypted, externally sent data

David Broggy 6,101 Reputation points MVP
2025-02-06T17:19:01.5233333+00:00

Hi there,

I'm trying to understand if I can use kql to query the following about Purview events. Here's a 'hypothetical' kql query that works logically, but I'm struggling to create a Purview policy that matches this.

I've created a 'sensitive' label, and applied it to a policy which should encrypt the file (on OneDrive/Sharepoint).

I've enabled logging/diagnostic in my Purview instance in Azure.

However I can't get any data to show up in the MicrosoftPurviewInformationProtection table.

MicrosoftPurviewInformationProtection
| where isnotempty(SensitiveInfoTypeData)
|where tostring(SensitiveInfoTypeData) contains "encrypted"
| where isnotempty(SensitiveInfoTypeData)
| where IsViewableByExternalUsers == 1

(I'm betting @Clive Watson or @Rod Trent have tried this....)

Microsoft Purview
Microsoft Purview
A Microsoft data governance service that helps manage and govern on-premises, multicloud, and software-as-a-service data. Previously known as Azure Purview.
1,406 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,225 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Oury Ba-MSFT 20,346 Reputation points Microsoft Employee
    2025-02-07T19:31:16.54+00:00

    David Broggy Thank you for reaching out on this.

    You need to enable the Microsoft Purview Information Protection connector in Microsoft Sentinel to ensure that the necessary logs and data are ingested into Sentinel.

    Guidance on how to set up this connector can be found here: Stream data from Microsoft Purview Information Protection to Microsoft Sentinel

    Please do also check this https://github.com/Azure-Samples/Azure-Information-Protection-Samples/blob/master/AIP-Audit-Export/MicrosoftPurviewInformationProtectionGuidance.md

    By using the data fields within the Azure Information Protection table (InformationProtectionLogs_CL) and the Microsoft Purview Information Protection table (MicrosoftPurviewInformationProtection) and adjust existing queries. Read more in the above Git Hub link.

    Comparaison of Azure Information Protection table and Microsoft Purview Information Protection events.

    Please do let us know the result.

    Regards,

    Oury

    0 comments
  2. David Broggy 6,101 Reputation points MVP
    2025-02-08T12:56:11.0033333+00:00

    Hi @Oury Ba-MSFT , thanks for your reply.

    As I understand it, the _CL table is the old method and the MicrosoftPurviewInformationProtection is the new method which is what I'm using, as described above.

    However I've not been able to get any data into that table.

    I would have thought that by simply applying a label to a Word document, I should see a log generated, but that's not happening.

    Perhaps this is a licensing issue, but if so I wouldn't expect to be able to use labeling, but I can.

    I don't see anywhere that would indicate if logging is disabled due to licensing.

    User's image

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.