MIP Integration
MIP Integration
MIP integration lets you integrate the Microsoft Information Protection (MIP) Unified Labeling solution into the ITM ObserveIT platform providing more context about user activities.
This feature is supported on Windows and Mac-based server policies.
Microsoft MIP Unified Labeling is a cloud-based solution that lets organizations classify documents and emails by applying labels to documents. From Microsoft products such as Azure and Outlook, labels can be applied to files by administrators and manually applied by users. This solution is available by license from Microsoft.
Azure Information Protection (AIP) labeling is also supported.
When MIP Integration is enabled, the ObserveIT Agent captures and extracts the MIP label and its attributes. MIP labels are captured when:
-
a file enters (is downloaded to) an endpoint you want to monitor by Web download, cloud sync folder (Box only) or as an attachment to an email (Outlook or Apple Mail)
-
a tracked file is copied, moved, renamed or deleted
-
a file is exfiltrated by file upload, copying or moving it to a USB, copying or moving it to a cloud sync folder of a supported vendor or sending it as an email attachment (Outlook or Apple Mail)
The following attributes from Microsoft MIP labels are brought in with the file by the Agent:
Some attributes may not be displayed in the Web Console. All attributes are available in reports using the API.
-
Label Name: a file can have more than 1 label but each label must be for a different tenant.
-
Label ID: a unique ID of the label from the tenant ID. If sub label have been created, the Agent extracts the only the sub label. If there is a parent label, the Agent does not extract it .
-
Site ID (Tenant ID)
-
Method: of applying the label, can be standard (default automatically applied) or privileged (manually applied).
-
Set At: timestamp when label was applied
-
Content ID (protection ID) & Kind: indication whether file is protected or not
-
Enabled: indication whether the label is enabled in the administrator's MIP organization.
-
Action ID: this ID changes each time a label is set.
-
Custom Attributes
Supported file types include MS Office files, PDFs, image files and text files.
Getting Started with MIP Integration
In order to integrate MIP labels, you must do the following:
-
Set up MIP label monitoring policies: Define the primary tenant using the tenant ID that Microsoft assigned to your organization. For details on how to set up the MIP label monitoring policy and how to find your organization's ID, see MIP Label Monitoring Policies.
-
Enable MIP label monitoring the in recording policy: Select Enable MIP label monitoring to enable MIP label monitoring for select endpoint groups, see File Activity Monitoring Global Settings.
Visibility
Label information for the defined primary tenant is visible from the User, Endpoint, Email and File diaries.
Although you might have defined other tenants for subsidiaries or divisions of your organization, you will only see the labels for the defined primary tenant in the following views.
-
User and Endpoint Diaries: You can see the MIP labels for the primary tenant in the Summary and Timeline views. (See Session Details Views.)
-
File Diary: You can see the MIP labels for the all defined tenants in the File Activity and File History views. You can filter by MIP labels from the File Activity view. You can see label details when you hover over the file. (See File Activity View and File History View.)
-
Email Diary: You can see MIP labels for email file attachments for the tenants. If an attachment has been assigned a label, you see it when you hover over the file in the Attached files field of the email. (See Email Activity View.)
In addition, primary MIP label names are displayed next to the filename in the Session Player. (See Replaying User Sessions.)
Alerts
You can create alerts by MIP labels for primary tenants. Using the label helps you generate more precise alerts, fine-tuned by the classification. For example, you might have 2 files with the same name but different labels. By creating an alert on the MIP label of the file, rather than just the file name, you eliminate noise of extra alerts.
You can create alerts by the:
-
Exfiltrated file label: the MIP label on a file exiting (uploaded from) an endpoint you want to monitor.
-
Original file label: the MIP label on a tracked file entering (downloaded to) an endpoint you want to monitor.
You can create a list of sensitive file labels for original file labels in the Sensitive MIP Label list. (For details about how to set up a list for your organization, see Managing Lists.)
For MIP Labels in alerts, see:
-
Email - Did What : Create alerts for files attached to emails using MIP labels.
-
When a file is exfiltrated by sending it via email, you can create an alert by the original file MIP label or the exfiltrated file MIP label
-
When a file is exfiltrated by attaching it to an email client, you can create an alert by the original file MIP label or the exfiltrated file MIP label
-
When an attachment from an email client is saved, you can create an alert by the original file MIP label
-
-
Brought in a File - Did What: Create alerts for files brought in using MIP labels.
-
When a file is downloaded from a website or Web application, you can create an alert by the original file MIP label
-
When a file is brought in as an attachment from an email client is saved, you can create an alert by the original file MIP label
-
When a file is brought in by taking a file from cloud storage sync folder, you can create an alert by the original file MIP label
-
-
Exfiltrated File - Did What: Create alerts for exfiltrated files using MIP labels.
-
When a file is exfiltrated to any destination, you can create an alert by the original file MIP label or the exfiltrated file MIP label
-
When a file is exfiltrated to any website/web application, you can create an alert by the original file MIP label or the exfiltrated file MIP label
-
When a file is exfiltrated to a cloud storage sync folder, you can create an alert by the original file MIP label or the exfiltrated file MIP label
-
Searching by MIP Labels
You can use the free text search with MIP labels. In the Search for free text field, enter the whole or part of the MIP label. MIP labels display in the session' search detials. (See Steps for Performing a Free Text Search.)
MIP Labels in Reports
You can include MIP labels for primary and other tenants in your reports. (See File Activity Report Configuration.)
MIP Limitations
-
Alert rules configured using the MIP Label of the file option are currently not supported for user file activity on the Mac.
-
In the File Diary, File MIP Label filter shows all the labels available in the ObserveIT database. This list is populated when there is file activity for file with a MIP label on the configured tenants. This list cannot be managed/cleaned.
-
If MS Office is not installed on the endpoint, the Agent may not be able to extract the MIP labels.
-
The Agent extracts sub-labels. For MIP, the Agent extracts the lowest sub level, so the child label, not the parent label is extracted. For AIP, because the metadata of parent label is added to the file itself, the Agent is able to extract it as well.
- Label name and label display name may differ. The Agent extracts the label name, and not the display name. (You can check the name in the Microsoft 365 Security Console > Sensitivity Labels ). The child label name is unique even if the display name is not.
-
The Agent captures Microsoft’s label name and not the display name. In Microsoft MIP, as an admin you can change only the display, the label name remains the same. The Agent captures the label name even if the display name has been changed.
-
With Azure Information Protection (AIP), the Agent can extract labels and sub labels, because of the metadata on file for files labels coming from AIP.
For tracked files, the Agent only captures MIP labels when there is file activity. If an MIP label is changed in the background, for example in MS Azure, and there is no file activity, the label will not be updated in the ObserveIT database.