MIP Integration

MIP integration lets you integrate the Microsoft Information Protection (MIP) Unified Labeling solution with the ITM platform providing more context about user activities.

Microsoft MIP is a cloud-based solution that lets organizations classify documents and emails by applying labels to documents. In addition, the label can have a security policy assigned to it. From Microsoft products such as Azure and Outlook, labels can be applied to files by an administrator who can also define rules and conditions and manually applied by users. This solution is available by license from Microsoft.

MIP Overview

If a file has a MIP label, the Agent captures and extract the label and its attributes when:

• a file enters (downloaded to) an endpoint you want to monitor by Web download, cloud sync folder (Box only) or as an attachment to an email (Outlook or Apple Mail)

• a tracked file is copied, moved, renamed or deleted

• a file is exfiltrated by file upload, copying or moving it to a USB, copying or moving it to a cloud sync folder of a supported vendor or sending it as an email attachment (Outlook or Apple Mail)

Label Change

The Agent also detects MIP label changes on tracked files. This provides additional visibility when monitoring suspicious activity on sensitive files. Using label change detection when a file is exfiltrated lets you fine tune alerts, reduce noise and gives you a more comprehensive view of file activity.

For files with any of the following extensions: RTF, TXT, PNG, BMP, JPG, JPEG, XML, ZIP, upon adding or removing a label that has protection in a way that the file is renamed (for example, from .txt to .ptxt), the indication for Label Change in some cases is not displayed in the File History tab.

MIP Properties

The following properties from Microsoft MIP are brought in with the file by the Agent:

• Label Name: a file can have more than 1 label but each label must be for a different tenant.

• Label ID: a unique ID of the label from the tenant ID.

• Site ID (Tenant ID)

• Method: of applying the label, can be standard (default automatically applied) or privileged (manually applied)

• Set At: timestamp when label was applied

• Content ID (protection ID) & Kind: indication whether file is protected or not

• Enabled: indication whether the label is enabled in the administrator's MIP portal/organization

• Action ID: this ID changes each time a label is set

Supported File Types

Supported file types are: PDF, Microsoft Office (Word, Excel, PowerPoint), Microsoft Project: .mpp, .mpt, Microsoft Publisher: .pub, Microsoft XPS: .xps .oxps, Images: .jpg, .jpe, .jpeg, .jif, .jfif, .jfi. png, .tif, .tiff, .msg (can only apply labels that have protection), Adobe Photoshop: .psd, Text file, .RTF, .XML, .BMP, .Zip, Digital Negative: .dng, Autodesk Design Review 2013: .dwfx

Configuring MIP Labels

In order to integrate MIP labels, you must do the following:

1. Enable MIP label monitoring the in recording policy, see File Activity Monitoring Global Settings.

2. Set up in MIP label monitoring policies to activate label monitoring. In this configuration you define the tenant IDs that Microsoft assigned to your organization, see MIP Label Monitoring Policies.

Visibility

MIP Label information is visible from the User, Endpoint and File diaries.

User and Endpoint Diaries: You can see the MIP labels in the Summary and Timeline views. (See Session Details Views.)

File Diary: You can see the MIP labels in the File Activity and File History views. You can filter by MIP labels from the File Activity view. (See File Activity View and File History View.)

Alerts

You can create alerts by the MIP file label, Using the MIP helps you generate more exact alerts. For example, you might have 2 files with the same name but different labels. By creating an alert on the MIP label of the file, rather than just the file name, you eliminate noise of extra alerts.

For MIP Labels in alerts, see:

• Email - Did What

• Brought in a File - Did What

• Exfiltrated File - Did What