Connect this data source on your own, using the Hunters platform.
Overview
Table name: microsoft_purview
Microsoft Purview logs provide detailed records of activities related to data governance and compliance across an organization's data estate. These logs capture information on actions such as data classification, access requests, policy enforcement, and auditing activities within Microsoft Purview. By analyzing these logs, organizations can track how data is being used, identify potential compliance risks, ensure data protection policies are adhered to, and maintain a transparent record for audit purposes. These logs are crucial for maintaining data governance, supporting regulatory compliance, and enhancing overall data security.
Learn more here.
Send data to Hunters
Hunters supports the ingestion of these logs using Azure Event Hub. Follow the steps below to complete the connection.
STEP 1: Set up Azure Event Hub
Before setting up the connection on the Hunters platform, you'll need to set up and create an Azure Event Hub.
Follow this guide to complete the set up.
STEP 2: Route logs to the Event Hub
Follow this guide by Microsoft to learn how to route Purview logs to an Event Hub.
STEP 3: Set up the connection on Hunters
-
Open the Hunters platform and navigate to Data > Data Sources.
-
Click ADD DATA SOURCES.
-
Locate the Microsoft Azure panel and click Connect.
The Add Data Flows window opens. -
Fill in the required Azure application details, as gathered here under STEP 2.
- Under the Data Types section, activate the data types you want to connect.
-
For each activated data type, fill in the required information, as gathered here:
- Under STEP 1 - Subscription ID
- Under STEP 3 - Resource group name and Event Hub namespace and
- Under STEP 4 - Event Hub name.
- OPTIONAL: Under the Consumer group field you can specify a specific Azure Event Hub consumer group, or leave this field empty to use the default consumer group.
- Click Test Connection to make sure everything was set up correctly.
- Once the connection is established, click Submit.
Expected format
Logs are expected in JSON format.
{
"_Internal_WorkspaceResourceId": "/subscriptions/asdasd/asd/asd/asd",
"_ItemId": "a0607082-36d4-11ef-8966-000d3abcf897",
"ActionSource": "Automatic",
"ActionSourceDetail": "AutoByReplyOrForward",
"Application": "Outlook",
"ClientIP": "1.2.3.4",
"ContentType": "Email",
"CurrentProtectionType": {
"documentEncrypted": false,
"owner": "",
"protectionType": 0,
"templateId": ""
},
"CurrentProtectionTypeName": "None",
"DeviceName": "QADO100017",
"EmailInfo": {
"cc": [
"test@test.com",
"test@test.com",
"test@test.com"
],
"from": "test@test.com",
"subject": "RE: Email Subject",
"to": [
"test@test.com",
"test@test.com"
]
},
"Id": "28f931bf-3dde-42af-9122-746d4c81604b",
"LabelEventType": "LabelChangedSameOrder",
"Operation": "SensitivityLabelApplied",
"OrganizationId": "asdasd-asdasd-asdasd",
"Platform": "Windows",
"PreviousProtectionType": {
"documentEncrypted": false,
"owner": "",
"protectionType": 0,
"templateId": ""
},
"PreviousProtectionTypeName": "None",
"ProtectionEventTypeName": "Unchanged",
"RecordType": 83,
"RecordTypeName": "SensitivityLabelAction",
"SensitivityLabelId": "df6d7d17-467a-4c8a-bc82-0da4d92ddbea",
"TargetLocation": "Cloud",
"TenantId": "aasd-asdsad-asdasd",
"TimeGenerated": "2024-06-30T11:27:52.0000000Z",
"Type": "MicrosoftPurviewInformationProtection",
"UserId": "test@test.com",
"UserKey": "asdasd-asdasd-asdasd",
"UserType": "Regular",
"Workload": "PublicEndpoint"
}