Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Updating Azure Purview Solution

This commit is contained in:
Rhea Bansal 2021-12-13 17:03:33 -08:00
Родитель 70ecc3ce44
Коммит 1e1fde3ec3
12 изменённых файлов: 398 добавлений и 1872 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

24
.script/tests/KqlvalidationsTests/CustomTables/AzurePurview_CustomTable.json
Просмотреть файл

@ -9,10 +9,6 @@
"Name": "PurviewTenantId",
"Type": "String"
},
{
"Name": "PurviewSubscriptionId",
"Type": "String"
},
{
"Name": "PurviewAccountName",
"Type": "String"
@ -46,7 +42,7 @@
"Type": "String"
},
{
"Name": "SourceOwner",
"Name": "SourceScanId",
"Type": "String"
},
{
@ -69,10 +65,6 @@
"Name": "AssetModifiedTime",
"Type": "DateTime"
},
{
"Name": "AssetOwner",
"Type": "String"
},
{
"Name": "AssetLastScanTime",
"Type": "DateTime"
@ -90,7 +82,7 @@
"Type": "String"
},
{
"Name": "ActivityTrigger",
"Name": "ClassificationTrigger",
"Type": "String"
},
{
@ -98,20 +90,20 @@
"Type": "Dynamic"
},
{
"Name": "ClassificationCount",
"Type": "Long"
"Name": "ClassificationDetails",
"Type": "Dynamic"
},
{
"Name": "SensitivityLabelGuid",
"Name": "SensitivityLabelTrigger",
"Type": "String"
},
{
"Name": "SensitivityLabelName",
"Name": "SensitivityLabel",
"Type": "String"
},
{
"Name": "UserId",
"Type": "String"
"Name": "SensitivityLabelDetails",
"Type": "Dynamic"
}
]
}

1369
Sample Data/AzurePurview_SampleData.csv
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

36
Solutions/Azure Purview/Analytic Rules/AzurePurviewClassificationAdded.yaml
Просмотреть файл

@ -1,36 +0,0 @@
id: 8001949e-8039-4e75-b9d2-7d591bcc7026
name: Social Security Numbers Discovered in the Last 24 Hours
description: |
'Identifies social security numbers that have been detected on assets
during a scan by Azure Purview. This can indicate an asset that should
be prioritized for protection. (An example is discovering when Social
Security Numbers are found, but the specific classification detected
can be adjusted to best fit the needs of the organization).'
severity: Low
requiredDataConnectors:
- connectorId: MicrosoftAzurePurview
dataTypes:
- PurviewDataSensitivityLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Discovery
relevantTechniques:
- T1087
query: |
PurviewDataSensitivityLogs
| where Classification has "Social Security Number"
| where TimeGenerated > ago(24h)
entityMappings:
- entityType: AzureResource
fieldMappings:
- identifier: ResourceId
columnName: SourcePath
customDetails:
AssetName: AssetName
ClassificationCount: ClassificationCount
Classification: Classification
version: 1.0.0
kind: scheduled

33
Solutions/Azure Purview/Analytic Rules/AzurePurviewConfidentialLabelAdded.yaml
Просмотреть файл

@ -1,33 +0,0 @@
id: 3c1178c8-d3d2-459b-9c6e-96d48c29eaaa
name: Assets with a Confidential Label Discovered in the Last 24 Hours
description: |
'Identifies assets that have a specific label, like Confidential, that
have been discovered during a scan by Azure Purview.'
severity: Low
requiredDataConnectors:
- connectorId: MicrosoftAzurePurview
dataTypes:
- PurviewDataSensitivityLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Discovery
relevantTechniques:
- T1087
query: |
PurviewDataSensitivityLogs
| where SensitivityLabelName contains "confidential"
| where TimeGenerated > ago(24h)
entityMappings:
- entityType: AzureResource
fieldMappings:
- identifier: ResourceId
columnName: SourcePath
customDetails:
AssetName: AssetName
ClassificationCount: ClassificationCount
Classification: Classification
version: 1.0.0
kind: scheduled

37
Solutions/Azure Purview/Analytic Rules/AzurePurviewDataSourceAssetAdded.yaml
Просмотреть файл

@ -1,37 +0,0 @@
id: c60ceb62-942f-4a7c-9eae-c643d5dd2900
name: Assets with Sensitive Data discovered in Test Data Sources in the Last 24 Hours
description: |
'Identifies assets with classifications that have been discovered to exist
within a specific data source during a scan by Azure Purview in the last
24 hours. (An example is discovering assets with source paths that
contain "test", but the source can be adjusted to best fit the needs
of the organization). '
severity: Low
requiredDataConnectors:
- connectorId: MicrosoftAzurePurview
dataTypes:
- PurviewDataSensitivityLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Discovery
relevantTechniques:
- T1087
query: |
PurviewDataSensitivityLogs
| where ClassificationCount != 0
| where SourcePath contains "test"
| where TimeGenerated > ago(24h)
entityMappings:
- entityType: AzureResource
fieldMappings:
- identifier: ResourceId
columnName: SourcePath
customDetails:
AssetName: AssetName
ClassificationCount: ClassificationCount
Classification: Classification
version: 1.0.0
kind: scheduled

36
Solutions/Azure Purview/Analytic Rules/AzurePurviewRegionClassificationAdded.yaml
Просмотреть файл

@ -1,36 +0,0 @@
id: 8e5ad39a-ebe0-4503-86fa-e8b2a85ac2e3
name: Assets with Sensitive Data Discovered in the East US in the Last 24 Hours
description: |
'Identifies assets containing classifications that have been discovered
to exist in a specific region during a scan by Azure Purview in the last
24 hours. (An example is discovering assets from the East US, but the
region can be adjusted to best fit the needs of the organization).'
severity: Low
requiredDataConnectors:
- connectorId: MicrosoftAzurePurview
dataTypes:
- PurviewDataSensitivityLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Discovery
relevantTechniques:
- T1087
query: |
PurviewDataSensitivityLogs
| where ClassificationCount != 0
| where SourceRegion == "eastus"
| where TimeGenerated > ago(24h)
entityMappings:
- entityType: AzureResource
fieldMappings:
- identifier: ResourceId
columnName: SourcePath
customDetails:
AssetName: AssetName
ClassificationCount: ClassificationCount
Classification: Classification
version: 1.0.0
kind: scheduled

38
Solutions/Azure Purview/Analytic Rules/AzurePurviewSensitiveDataDiscovered.yaml Normal file
Просмотреть файл

@ -0,0 +1,38 @@
id: 8001949e-8039-4e75-b9d2-7d591bcc7026
name: Sensitive Data Discovered in the Last 24 Hours
description: |
'Identifies all classifications that have been detected on assets during a scan by Azure Purview within the last 24 hours.'
severity: Informational
requiredDataConnectors:
- connectorId: MicrosoftAzurePurview
dataTypes:
- PurviewDataSensitivityLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Discovery
relevantTechniques:
- T1087
query: |
PurviewDataSensitivityLogs
| where Classification != ""
| where TimeGenerated > ago(24h)
entityMappings:
- entityType: AzureResource
fieldMappings:
- identifier: ResourceId
columnName: SourcePath
customDetails:
AssetName: AssetName
Classification: Classification
AssetPath: AssetPath
SourceRegion: SourceRegion
PurviewAccount: PurviewAccount
LastScanTime: AssetLastScanTime
alertDetailsOverride:
alertDisplayNameFormat: 'Classifications discovered in {AssetName} by Azure Purview'
alertDescriptionFormat: 'Within the last 24 hours, Azure Purview ({PurviewAccountName}) scanned an asset that contained classifications within {SourceRegion}. The asset name is {AssetName} and the classifications discovered were {Classification}. The asset path is {AssetPath}'
version: 1.0.0
kind: scheduled

40
Solutions/Azure Purview/Analytic Rules/AzurePurviewSensitiveDataDiscoveredCustom.yaml Normal file
Просмотреть файл

@ -0,0 +1,40 @@
id: f7f30247-04b7-4ef7-afa7-d8d9f36c6a3b
name: Sensitive Data Discovered in the Last 24 Hours - Customized
description: |
'Customized query used to identify specific classifications and parameters that have been discovered on assets in the last 24 hours by Azure Purview. By default, the query identifies Social Security Numbers detected, but the specific classification monitored along with other data fields can be adjusted. A list of supported Azure Purview classifications can be found here: https://docs.microsoft.com/azure/purview/supported-classifications'
severity: Informational
requiredDataConnectors:
- connectorId: MicrosoftAzurePurview
dataTypes:
- PurviewDataSensitivityLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Discovery
relevantTechniques:
- T1087
query: |
PurviewDataSensitivityLogs
| where Classification contains "Social Security Number"
//| where SourceRegion == "westeurope"
//| where SourceType contains "Amazon"
| where TimeGenerated > ago(24h)
entityMappings:
- entityType: AzureResource
fieldMappings:
- identifier: ResourceId
columnName: SourcePath
customDetails:
AssetName: AssetName
Classification: Classification
AssetPath: AssetPath
SourceRegion: SourceRegion
PurviewAccount: PurviewAccount
LastScanTime: AssetLastScanTime
alertDetailsOverride:
alertDisplayNameFormat: 'Classifications discovered in {AssetName} by Azure Purview'
alertDescriptionFormat: 'Within the last 24 hours, Azure Purview ({PurviewAccountName}) scanned an asset that contained classifications within {SourceRegion}. The asset name is {AssetName} and the classifications discovered were {Classification}. The asset path is {AssetPath}'
version: 1.0.0
kind: scheduled

31
Solutions/Azure Purview/Analytic Rules/AzurePurviewSourceTypeAdded.yaml
Просмотреть файл

@ -1,31 +0,0 @@
id: f7f30247-04b7-4ef7-afa7-d8d9f36c6a3b
name: Assets from Amazon with Sensitive Data Discovered in the Last 24 Hours
description: |
'Identifies assets with classifications that have been discovered to exist
in a specific source type during a scan by Azure Purview in the last 24
hours. (An example is discovering assets from Amazon, but the source type
can be adjusted to best fit the needs of the organization). '
severity: Low
requiredDataConnectors:
- connectorId: MicrosoftAzurePurview
dataTypes:
- PurviewDataSensitivityLogs
queryFrequency: 24h
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Discovery
relevantTechniques:
- T1087
query: |
PurviewDataSensitivityLogs
| where ClassificationCount != 0
| where SourceType contains "Amazon"
| where TimeGenerated > ago(24h)
customDetails:
AssetName: AssetName
ClassificationCount: ClassificationCount
Classification: Classification
version: 1.0.0
kind: scheduled

4
Solutions/Azure Purview/Data Connectors/AzurePurview.json
Просмотреть файл

@ -2,7 +2,7 @@
"id": "MicrosoftAzurePurview",
"title": "Azure Purview",
"publisher": "Microsoft",
"descriptionMarkdown": "Connect to Azure Purview. Azure Purview is a unified data governance service that helps you manage and govern your on-premises, multicloud, and software-as-a-service (SaaS) data. It creates a holistic, up-to-date map of your data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage that empowers you to find valuable and trustworthy data.",
"descriptionMarkdown": "Connect to Azure Purview to enable data sensitivity enrichment of Microsoft Sentinel. Data classification and sensitivity label logs from Azure Purview scans can be ingested and visualized through workbooks, analytical rules, and more.",
"graphQueries": [
{
"metricName": "Total data received",
@ -38,7 +38,7 @@
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"permissionsDisplayText": "Azure Purview account Owner or Contributor role to set up Diagnostic Settings. Microsoft Contributor role with write permissions to enable data connector, view workbook, and create analytic rules.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {

11
Solutions/Azure Purview/Data/Solution_AzurePurview.json
Просмотреть файл

@ -1,8 +1,8 @@
{
"Name": "Azure Purview",
"Name": "Azure Purview Solution",
"Author": "Nikhil Tripathi - v-ntripathi@microsoft.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">",
"Description": "Azure Purview is a unified data governance service that helps you manage and govern your on-premises, multicloud, and software-as-a-service (SaaS) data. It creates a holistic, up-to-date map of your data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage that empowers you to find valuable and trustworthy data.",
"Description": "The Azure Purview Solution enables data sensitivity enrichment of Microsoft Sentinel. Data classification and sensitivity label logs from Azure Purview scans are ingested and visualized through workbooks, analytical rules, and more.",
"Data Connectors": [
"Data Connectors/AzurePurview.json"
],
@ -10,11 +10,8 @@
"Workbooks/AzurePurview.json"
],
"Analytic Rules": [
"Analytic Rules/AzurePurviewClassificationAdded.yaml",
"Analytic Rules/AzurePurviewConfidentialLabelAdded.yaml",
"Analytic Rules/AzurePurviewDataSourceAssetAdded.yaml",
"Analytic Rules/AzurePurviewRegionClassificationAdded.yaml",
"Analytic Rules/AzurePurviewSourceTypeAdded.yaml"
"Analytic Rules/AzurePurviewSensitiveDataDiscovered.yaml",
"Analytic Rules/AzurePurviewSensitiveDataDiscoveredCustom.yaml"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\azure\\Solutions\\Azure Purview",

611
Solutions/Azure Purview/Workbooks/AzurePurview.json
Просмотреть файл

@ -55,7 +55,10 @@
},
"defaultValue": "value::all",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
"resourceType": "microsoft.operationalinsights/workspaces",
"value": [
"value::all"
]
},
{
"id": "ea62a59c-3799-400d-a7af-f0ad14cc46c7",
@ -68,7 +71,10 @@
"multiSelect": true,
"quote": "'",
"delimiter": ",",
"query": "PurviewDataSensitivityLogs\r\n| distinct SourceCollectionName \r\n| extend Collection = iff(SourceCollectionName == \"\",\"No Collection\", SourceCollectionName)\r\n| project Collection",
"query": "PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\"\r\n| distinct SourceCollectionName \r\n| extend Collection = iff(SourceCollectionName == \"\",\"No Collection\", SourceCollectionName)\r\n| project Collection",
"value": [
"value::all"
],
"typeSettings": {
"additionalResourceOptions": [
"value::all"
@ -89,7 +95,7 @@
"multiSelect": true,
"quote": "",
"delimiter": ",",
"query": "PurviewDataSensitivityLogs\r\n| distinct SourceType ",
"query": "PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\"\r\n| distinct SourceType ",
"value": [
"value::all"
],
@ -177,7 +183,7 @@
"size": 0,
"title": "Number of Sources by Region",
"timeContext": {
"durationMs": 0
"durationMs": 2592000000
},
"timeContextFromParameter": "Time",
"queryType": 0,
@ -214,7 +220,7 @@
"size": 0,
"title": "Number of Classified Assets Found Based on Resource Type",
"timeContext": {
"durationMs": 0
"durationMs": 2592000000
},
"timeContextFromParameter": "Time",
"queryType": 0,
@ -274,7 +280,7 @@
{
"type": 1,
"content": {
"json": "To use the Asset Drilldown view, select the row of the data source in the Sources table below to get a list of all assets scanned by Purview in that data source. To view the data source within the Azure portal, click on the data source hyperlink in the Sources table. Within the Assets Drilldown, click on the Asset Path hyperlink to view the Details pane.",
"json": "To use the Asset Drilldown view, select the row of the data source in the Sources table below to get a list of all assets scanned by Purview in that data source. Within the Assets Drilldown, click on the Asset Path hyperlink to view the Details pane. To view the data source within the Azure portal, click on the data source hyperlink in the Assets Drilldown table. ",
"style": "warning"
},
"conditionalVisibility": {
@ -299,6 +305,7 @@
"showRefreshButton": true,
"exportFieldName": "DataSource",
"exportParameterName": "UserSelectedDataSource",
"exportDefaultValue": "All",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -377,12 +384,12 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "\r\nlet classifiedAssets = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where SourceType in~ (split(\"{DataSource}\", \",\"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| where (split(\"{UserSelectedDataSource:value}\", \", \")) contains SourcePath\r\n| summarize arg_max(TimeGenerated, PurviewTenantId, PurviewSubscriptionId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceOwner, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetOwner, AssetLastScanTime, FileExtension, FileSize, ActivityType, ClassificationActivityTrigger = ActivityTrigger, Classification, ClassificationCount, UserId, SensitivityLabelGuid, SensitivityLabelName) by AssetPath \r\n| project TimeGenerated, PurviewTenantId, PurviewSubscriptionId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceOwner, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetOwner, AssetLastScanTime, FileExtension, FileSize, ActivityType, ClassificationActivityTrigger, Classification, ClassificationCount, SensitivityLabelGuid, SensitivityLabelName, UserId;\r\n\r\nlet labeledAssets = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Labeling\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where SourceType in~ (split(\"{DataSource}\", \",\"))\r\n| where SensitivityLabelName != int(null)\r\n| extend SensitivityLabel = iif(isempty(SensitivityLabelName), \"No Label\", SensitivityLabelName)\r\n| summarize arg_max(SensitivityLabel, SourceType, ActivityTrigger) by AssetPath\r\n| project AssetPath, SensitivityLabel, SensitivityLabelActivityTrigger = ActivityTrigger;\r\n\r\nlet table = classifiedAssets\r\n| join kind= leftouter labeledAssets on AssetPath\r\n| project TimeGenerated, PurviewTenantId, PurviewSubscriptionId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceOwner, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetOwner, AssetLastScanTime, FileExtension, FileSize, ActivityType, ClassificationActivityTrigger, SensitivityLabelActivityTrigger, Classification, ClassificationCount, SensitivityLabelGuid, SensitivityLabel, UserId\r\n| sort by ClassificationCount;\r\n\r\ntable\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n",
"query": "let ClassificationCountAdded = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\" \r\n| mv-expand ClassificationDetails\r\n| summarize ClassificationCount= sum(toint(ClassificationDetails[\"UniqueCount\"])) by AssetPath;\r\n\r\nlet classifiedAssets = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where SourceType in~ (split(\"{DataSource}\", \",\"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| where \"{UserSelectedDataSource:value}\" == \"All\" or (split(\"{UserSelectedDataSource:value}\", \", \")) contains SourcePath;\r\n\r\nlet classifiedAssetsWithCounts = classifiedAssets \r\n| join ClassificationCountAdded on AssetPath\r\n| summarize arg_max(TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, Classification, ClassificationCount, ClassificationTrigger, ClassificationDetails, SourceScanId) by AssetPath \r\n| project TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, Classification, ClassificationCount, ClassificationTrigger, ClassificationDetails, SourceScanId;\r\n\r\nlet labeledAssets = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Labeling\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where SourceType in~ (split(\"{DataSource}\", \",\"))\r\n| mv-expand SensitivityLabel to typeof(string)\r\n| where SensitivityLabel != int(null)\r\n//| extend SensitivityLabel = iif(isempty(SensitivityLabel), \"No Label\", SensitivityLabel)\r\n| mv-expand SensitivityLabelDetails\r\n| summarize arg_max(SensitivityLabel, SourceType, SensitivityLabelTrigger, SensitivityLabelDetails) by AssetPath\r\n| project AssetPath, SensitivityLabel, SensitivityLabelTrigger, SensitivityLabelDetails;\r\n\r\nlet table = classifiedAssetsWithCounts\r\n| join kind= leftouter labeledAssets on AssetPath\r\n| project TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, ClassificationTrigger, Classification, ClassificationCount, ClassificationDetails, SensitivityLabelTrigger, SensitivityLabel, SensitivityLabelDetails, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceScanId\r\n| sort by ClassificationCount;\r\n\r\ntable\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n",
"size": 0,
"showAnalytics": true,
"title": "Assets Drilldown",
"timeContext": {
"durationMs": 0
"durationMs": 2592000000
},
"timeContextFromParameter": "Time",
"showRefreshButton": true,
@ -400,10 +407,6 @@
"columnMatch": "PurviewTenantId",
"formatter": 5
},
{
"columnMatch": "PurviewSubscriptionId",
"formatter": 5
},
{
"columnMatch": "PurviewAccountName",
"formatter": 5
@ -412,34 +415,6 @@
"columnMatch": "PurviewRegion",
"formatter": 5
},
{
"columnMatch": "SourceName",
"formatter": 5
},
{
"columnMatch": "SourceType",
"formatter": 5
},
{
"columnMatch": "SourcePath",
"formatter": 5
},
{
"columnMatch": "SourceSubscriptionId",
"formatter": 5
},
{
"columnMatch": "SourceRegion",
"formatter": 5
},
{
"columnMatch": "SourceCollectionName",
"formatter": 5
},
{
"columnMatch": "SourceOwner",
"formatter": 5
},
{
"columnMatch": "AssetName",
"formatter": 5
@ -465,10 +440,6 @@
"columnMatch": "AssetModifiedTime",
"formatter": 5
},
{
"columnMatch": "AssetOwner",
"formatter": 5
},
{
"columnMatch": "AssetLastScanTime",
"formatter": 5
@ -482,11 +453,7 @@
"formatter": 5
},
{
"columnMatch": "ClassificationActivityTrigger",
"formatter": 5
},
{
"columnMatch": "SensitivityLabelActivityTrigger",
"columnMatch": "ActivityType",
"formatter": 5
},
{
@ -500,6 +467,81 @@
"palette": "blue"
}
},
{
"columnMatch": "ClassificationDetails",
"formatter": 5
},
{
"columnMatch": "SensitivityLabel",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal"
},
"emptyValCustomText": "No Label"
}
},
{
"columnMatch": "SensitivityLabelTrigger",
"formatter": 5
},
{
"columnMatch": "SensitivityLabelDetails",
"formatter": 5
},
{
"columnMatch": "SourceName",
"formatter": 5
},
{
"columnMatch": "SourceType",
"formatter": 5
},
{
"columnMatch": "SourcePath",
"formatter": 13,
"formatOptions": {
"linkTarget": "Resource",
"showIcon": true
}
},
{
"columnMatch": "SourceSubscriptionId",
"formatter": 5
},
{
"columnMatch": "SourceRegion",
"formatter": 5
},
{
"columnMatch": "SourceCollectionName",
"formatter": 5
},
{
"columnMatch": "SourceScanId",
"formatter": 5
},
{
"columnMatch": "PurviewSubscriptionId",
"formatter": 5
},
{
"columnMatch": "SourceOwner",
"formatter": 5
},
{
"columnMatch": "AssetOwner",
"formatter": 5
},
{
"columnMatch": "ClassificationActivityTrigger",
"formatter": 5
},
{
"columnMatch": "SensitivityLabelActivityTrigger",
"formatter": 5
},
{
"columnMatch": "SensitivityLabelGuid",
"formatter": 5
@ -520,72 +562,24 @@
}
}
],
"rowLimit": 1000,
"filter": true,
"labelSettings": [
{
"columnId": "TimeGenerated"
},
{
"columnId": "PurviewTenantId"
},
{
"columnId": "PurviewSubscriptionId"
},
{
"columnId": "PurviewAccountName"
},
{
"columnId": "PurviewRegion"
},
{
"columnId": "SourceName"
},
{
"columnId": "SourceType"
},
{
"columnId": "SourcePath"
},
{
"columnId": "SourceSubscriptionId"
},
{
"columnId": "SourceRegion"
},
{
"columnId": "SourceCollectionName"
},
{
"columnId": "AssetName"
},
{
"columnId": "AssetPath",
"label": "Asset Path"
},
{
"columnId": "AssetType"
},
{
"columnId": "AssetModifiedTime"
},
{
"columnId": "AssetLastScanTime"
},
{
"columnId": "FileExtension"
},
{
"columnId": "FileSize"
},
{
"columnId": "ActivityType"
},
{
"columnId": "Classification"
},
{
"columnId": "ClassificationCount",
"label": "Classification Count"
},
{
"columnId": "SensitivityLabel",
"label": "Sensitivity Label"
},
{
"columnId": "SourcePath",
"label": "Data Source"
}
]
}
@ -618,92 +612,16 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let TopClassifications = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| summarize arg_max(TimeGenerated, Classification, FileSize, AssetType) by AssetPath \r\n| extend classifications = split(Classification, ',')\r\n| mv-expand classifications\r\n| extend Classification = trim(@\"[^\\w]+\", tostring(classifications))\r\n| where Classification != \"\"\r\n| distinct AssetPath, Classification\r\n| summarize AssetCount = count() by Classification \r\n| top 5 by AssetCount;\r\n\r\nTopClassifications\r\n",
"query": "PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\"\r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| where Classification != \"\"\r\n| summarize ClassifiedAssetCount = count() by DateClassified = bin(TimeGenerated, 1d), SourceType",
"size": 0,
"title": "Top Classifications",
"title": "Classification Events",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "Time",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"gridSettings": {
"formatters": [
{
"columnMatch": "SourceType_s",
"formatter": 1
},
{
"columnMatch": "AssetCount",
"formatter": 4,
"formatOptions": {
"palette": "blue"
}
}
]
},
"tileSettings": {
"titleContent": {
"columnMatch": "Classification",
"formatter": 1
},
"leftContent": {
"columnMatch": "AssetCount",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"showBorder": false,
"sortCriteriaField": "AssetCount",
"sortOrderField": 2,
"size": "auto"
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "Classification",
"formatter": 1
},
"centerContent": {
"columnMatch": "AssetCount",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
},
"chartSettings": {
"yAxis": [
"AssetCount"
],
"showLegend": true
},
"mapSettings": {
"locInfo": "LatLong",
"sizeSettings": "AssetCount",
"sizeAggregation": "Sum",
"legendMetric": "AssetCount",
"legendAggregation": "Sum",
"itemColorSettings": {
"type": "heatmap",
"colorAggregation": "Sum",
"nodeColorField": "AssetCount",
"heatmapPalette": "greenRed"
}
}
"visualization": "barchart"
},
"conditionalVisibility": {
"parameterName": "Tab",
@ -711,7 +629,7 @@
"value": "Classification"
},
"customWidth": "50",
"name": "query - 7 - Copy",
"name": "query - 21",
"styleSettings": {
"showBorder": true
}
@ -720,7 +638,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let TopClassifiedAssets = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| summarize arg_max(TimeGenerated, Classification, ClassificationCount, AssetName, AssetType, AssetPath, FileExtension, FileSize, SourceType, SourcePath) by AssetPath \r\n| project AssetPath, SourcePath, ClassificationCount\r\n| top 4 by ClassificationCount;\r\n\r\nTopClassifiedAssets",
"query": "let ClassificationCountAdded = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\" \r\n| mvexpand ClassificationDetails\r\n| summarize ClassificationCount= sum(toint(ClassificationDetails[\"UniqueCount\"])) by AssetPath;\r\nlet TopClassifiedAssets = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"));\r\n\r\nTopClassifiedAssets | join ClassificationCountAdded on AssetPath \r\n| summarize arg_max(TimeGenerated, Classification, ClassificationCount, AssetName, AssetType, AssetPath, FileExtension, FileSize, SourceType, SourcePath) by AssetPath \r\n| project AssetPath, SourcePath, ClassificationCount\r\n| top 4 by ClassificationCount;",
"size": 0,
"title": "Top Assets with Classifications",
"timeContext": {
@ -773,7 +691,7 @@
{
"type": 1,
"content": {
"json": "To use the Classifications Drilldown view, select a Classification in the Classifications table below to get a list all assets scanned by Purview with that classification. Within the Classifications Drilldown, click on the Asset Path hyperlink to view the Details pane.",
"json": "To use the Classifications Drilldown view, select a Classification in the Classifications table below to get a list all assets scanned by Purview with that classification. Within the Asset Level Drilldown, click on the Asset Path hyperlink to view the Details pane. To view the data source within the Azure portal, click on the data source hyperlink in the Asset Level Drilldown table.",
"style": "warning"
},
"conditionalVisibility": {
@ -787,17 +705,18 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let Classifications = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\"\r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| summarize arg_max(TimeGenerated, Classification, FileSize, AssetType) by AssetPath \r\n| extend classifications = split(Classification, ',')\r\n| mv-expand classifications\r\n| extend Classification = trim(@\"[^\\w]+\", tostring(classifications))\r\n| where Classification != \"\"\r\n| summarize FileSize = round(sum(FileSize)/1000000,2), AssetCount = count() by Classification\r\n| project Classification, FileSize, AssetCount;\r\n\r\nClassifications\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n",
"query": "let Classifications = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\"\r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| summarize arg_max(TimeGenerated, Classification, FileSize, AssetType) by AssetPath \r\n| extend classifications = split(Classification, ',')\r\n| mv-expand classifications\r\n| extend Classification = trim(@\"[^\\w]+\", tostring(classifications))\r\n| where Classification != \"\"\r\n| summarize FileSize = round(sum(FileSize)/1000000,2), AssetCount = count() by Classification\r\n| project Classification, AssetCount, FileSize;\r\n\r\nClassifications\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n",
"size": 0,
"showAnalytics": true,
"title": "Classifications",
"timeContext": {
"durationMs": 0
"durationMs": 2592000000
},
"timeContextFromParameter": "Time",
"showRefreshButton": true,
"exportFieldName": "Classification",
"exportParameterName": "UserSelectedClassification",
"exportDefaultValue": "All",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -831,27 +750,24 @@
"filter": true,
"sortBy": [
{
"itemKey": "$gen_bar_AssetCount_2",
"itemKey": "$gen_bar_AssetCount_1",
"sortOrder": 2
}
],
"labelSettings": [
{
"columnId": "Classification"
"columnId": "AssetCount",
"label": "Classified Asset Count"
},
{
"columnId": "FileSize",
"label": "Total Size of Files (MB)"
},
{
"columnId": "AssetCount",
"label": "Classified Asset Count"
}
]
},
"sortBy": [
{
"itemKey": "$gen_bar_AssetCount_2",
"itemKey": "$gen_bar_AssetCount_1",
"sortOrder": 2
}
],
@ -892,7 +808,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let ClassificationsDrilldown = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| extend classifications = split(Classification, ',')\r\n| mv-expand classifications\r\n| extend Classification = trim(@\"[^\\w]+\", tostring(classifications))\r\n| where Classification != \"\"\r\n| where (split(\"{UserSelectedClassification:label}\", \", \")) contains Classification\r\n| summarize arg_max(TimeGenerated, PurviewTenantId, PurviewSubscriptionId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceOwner, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetOwner, AssetLastScanTime, FileExtension, FileSize, ActivityType, ActivityTrigger, Classification, ClassificationCount, SensitivityLabelGuid, SensitivityLabelName, UserId) by AssetPath \r\n| project TimeGenerated, PurviewTenantId, PurviewSubscriptionId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceOwner, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetOwner, AssetLastScanTime, FileExtension, FileSize, ActivityType, ActivityTrigger, Classification, ClassificationCount, SensitivityLabelGuid, SensitivityLabelName, UserId;\r\n\r\nClassificationsDrilldown\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n",
"query": "let ClassificationCountColumn = PurviewDataSensitivityLogs\r\n| mv-expand ClassificationDetails\r\n| summarize ClassificationCount = sum(toint(ClassificationDetails[\"UniqueCount\"])) by AssetPath;\r\nlet ClassificationsDrilldown = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Classification\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| extend classifications = split(Classification, ',')\r\n| mv-expand classifications\r\n| extend Classification = trim(@\"[^\\w]+\", tostring(classifications))\r\n| where Classification != \"\"\r\n| where \"{UserSelectedClassification:label}\" == \"All\" or (split(\"{UserSelectedClassification:label}\", \", \")) contains Classification;\r\n\r\nClassificationsDrilldown | join ClassificationCountColumn on AssetPath\r\n| summarize arg_max(TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, ClassificationTrigger, Classification, ClassificationCount, ClassificationDetails, SourceScanId) by AssetPath \r\n| project TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, ClassificationTrigger, Classification, ClassificationCount, ClassificationDetails, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceScanId;\r\n\r\nClassificationsDrilldown\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n",
"size": 0,
"showAnalytics": true,
"title": "Classifications Drilldown- Asset Level",
@ -914,10 +830,6 @@
"columnMatch": "PurviewTenantId",
"formatter": 5
},
{
"columnMatch": "PurviewSubscriptionId",
"formatter": 5
},
{
"columnMatch": "PurviewAccountName",
"formatter": 5
@ -926,34 +838,6 @@
"columnMatch": "PurviewRegion",
"formatter": 5
},
{
"columnMatch": "SourceName",
"formatter": 5
},
{
"columnMatch": "SourceType",
"formatter": 5
},
{
"columnMatch": "SourcePath",
"formatter": 5
},
{
"columnMatch": "SourceSubscriptionId",
"formatter": 5
},
{
"columnMatch": "SourceRegion",
"formatter": 5
},
{
"columnMatch": "SourceCollectionName",
"formatter": 5
},
{
"columnMatch": "SourceOwner",
"formatter": 5
},
{
"columnMatch": "AssetName",
"formatter": 5
@ -979,10 +863,6 @@
"columnMatch": "AssetModifiedTime",
"formatter": 5
},
{
"columnMatch": "AssetOwner",
"formatter": 5
},
{
"columnMatch": "AssetLastScanTime",
"formatter": 0,
@ -1003,11 +883,55 @@
"formatter": 5
},
{
"columnMatch": "ActivityTrigger",
"columnMatch": "Classification",
"formatter": 5
},
{
"columnMatch": "Classification",
"columnMatch": "SourceName",
"formatter": 5
},
{
"columnMatch": "SourceType",
"formatter": 5
},
{
"columnMatch": "SourcePath",
"formatter": 13,
"formatOptions": {
"linkTarget": "Resource",
"showIcon": true
}
},
{
"columnMatch": "SourceSubscriptionId",
"formatter": 5
},
{
"columnMatch": "SourceRegion",
"formatter": 5
},
{
"columnMatch": "SourceCollectionName",
"formatter": 5
},
{
"columnMatch": "SourceScanId",
"formatter": 5
},
{
"columnMatch": "PurviewSubscriptionId",
"formatter": 5
},
{
"columnMatch": "SourceOwner",
"formatter": 5
},
{
"columnMatch": "AssetOwner",
"formatter": 5
},
{
"columnMatch": "ActivityTrigger",
"formatter": 5
},
{
@ -1023,7 +947,21 @@
"formatter": 5
}
],
"filter": true
"filter": true,
"labelSettings": [
{
"columnId": "AssetPath",
"label": "Asset Path"
},
{
"columnId": "AssetLastScanTime",
"label": "Asset Last Scan Time"
},
{
"columnId": "SourcePath",
"label": "Data Source"
}
]
},
"sortBy": []
},
@ -1055,39 +993,16 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let SensitivityLabelsCount = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Labeling\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| where SensitivityLabelName != \"\"\r\n| summarize arg_max(SensitivityLabelName, SourceType) by AssetPath \r\n| summarize LabelCount = count() by SensitivityLabelName, SourceType;\r\n\r\nSensitivityLabelsCount",
"query": "PurviewDataSensitivityLogs\r\n| where ActivityType == \"Labeling\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| where SensitivityLabel != \"\"\r\n| summarize LabeledAssetCount = count() by DateClassified = bin(TimeGenerated, 1d), SourceType",
"size": 0,
"title": "Sensitivity Labels Count",
"title": "Sensitivity Labeling Events",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "Time",
"exportFieldName": "SensitivityLabelName",
"exportParameterName": "UserSelectedLabel",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "barchart",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "SensitivityLabelName",
"formatter": 1
},
"leftContent": {
"columnMatch": "LabelCount",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
"visualization": "barchart"
},
"conditionalVisibility": {
"parameterName": "Tab",
@ -1095,7 +1010,7 @@
"value": "Labels"
},
"customWidth": "50",
"name": "query - 14",
"name": "query - 21",
"styleSettings": {
"showBorder": true
}
@ -1104,7 +1019,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let LabelPercentage = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Labeling\"\r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| summarize arg_max(AssetName, SensitivityLabelName, SourceType) by AssetPath \r\n| summarize LabelCount = count() by SensitivityLabelName, SourceType;\r\n\r\nLabelPercentage;\r\n",
"query": "let LabelPercentage = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Labeling\"\r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| mv-expand SensitivityLabel\r\n| summarize arg_max(AssetName, tostring(SensitivityLabel), SourceType) by AssetPath \r\n| summarize LabelCount = count() by SensitivityLabel, SourceType;\r\n\r\nLabelPercentage;\r\n",
"size": 3,
"title": "Percentage of Labels Applied",
"timeContext": {
@ -1221,17 +1136,17 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let SensitivityLabels = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Labeling\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| extend newSensitivityLabelName = iff(SensitivityLabelName == \"\", \"No Label\", SensitivityLabelName)\r\n| summarize arg_max(newSensitivityLabelName, SourceType, FileSize) by AssetPath \r\n| summarize FileSize = round(sum(FileSize)/1000000,2), AssetCount = count() by newSensitivityLabelName\r\n| sort by AssetCount;\r\n\r\nSensitivityLabels",
"query": "let SensitivityLabels = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Labeling\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| mv-expand SensitivityLabel\r\n| extend newSensitivityLabel = tostring(SensitivityLabel) //iff(SensitivityLabel== \"\", \"No Label\", SensitivityLabel)\r\n| summarize arg_max(newSensitivityLabel, SourceType, FileSize) by AssetPath \r\n| summarize FileSize = round(sum(FileSize)/1000000,2), AssetCount = count() by newSensitivityLabel\r\n| sort by AssetCount;\r\n\r\nSensitivityLabels",
"size": 0,
"showAnalytics": true,
"title": "Sensitivity Labels",
"timeContext": {
"durationMs": 2592000000
},
"timeContextFromParameter": "Time",
"showRefreshButton": true,
"exportFieldName": "newSensitivityLabelName",
"exportFieldName": "newSensitivityLabel",
"exportParameterName": "UserSelectedLabel",
"exportDefaultValue": "All",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -1239,10 +1154,14 @@
"gridSettings": {
"formatters": [
{
"columnMatch": "SensitivityLabelName",
"formatter": 1,
"formatOptions": {
"customColumnWidthSetting": "60ch"
"columnMatch": "newSensitivityLabel",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal"
},
"emptyValCustomText": "No Label"
}
},
{
@ -1260,13 +1179,26 @@
"palette": "blue",
"customColumnWidthSetting": "20ch"
}
},
{
"columnMatch": "SensitivityLabelName",
"formatter": 1,
"formatOptions": {
"customColumnWidthSetting": "60ch"
},
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal"
}
}
}
],
"filter": true,
"labelSettings": [
{
"columnId": "newSensitivityLabelName",
"label": "Label"
"columnId": "newSensitivityLabel",
"label": "Sensitivity Label"
},
{
"columnId": "FileSize",
@ -1278,6 +1210,7 @@
}
]
},
"sortBy": [],
"tileSettings": {
"showBorder": false,
"titleContent": {
@ -1315,7 +1248,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let labelDrilldown = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Labeling\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| extend SensitivityLabel = iif(isempty(SensitivityLabelName), \"No Label\", SensitivityLabelName)\r\n| where (split(\"{UserSelectedLabel:label}\", \", \")) contains SensitivityLabel\r\n| summarize arg_max(TimeGenerated, PurviewTenantId, PurviewSubscriptionId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceOwner, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetOwner, AssetLastScanTime, FileExtension, FileSize, ActivityType, ActivityTrigger, Classification, ClassificationCount, SensitivityLabelGuid, SensitivityLabel, UserId) by AssetPath \r\n| project TimeGenerated, PurviewTenantId, PurviewSubscriptionId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceOwner, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetOwner, AssetLastScanTime, FileExtension, FileSize, ActivityType, ActivityTrigger, Classification, ClassificationCount, SensitivityLabelGuid, SensitivityLabel, UserId;\r\n\r\nlabelDrilldown",
"query": "let labelDrilldown = PurviewDataSensitivityLogs\r\n| where ActivityType == \"Labeling\" \r\n| where \"{PurviewAccount:label}\" == \"All\" or PurviewAccountName in~ (split(\"{PurviewAccount:label}\", \", \"))\r\n| where \"{DataSource:label}\" == \"All\" or SourceType in~ (split(\"{DataSource:label}\", \", \"))\r\n| extend CollectionName = iff(SourceCollectionName == \"\",\"No Collection\",SourceCollectionName)\r\n| where \"{Collection:label}\" == \"All\" or CollectionName in~ (split(\"{Collection:label}\", \", \"))\r\n| mv-expand SensitivityLabel to typeof(string)\r\n| mv-expand SensitivityLabelDetails to typeof(string)\r\n| where \"{UserSelectedLabel:label}\" == \"All\" or \"{UserSelectedLabel:label}\" == SensitivityLabel\r\n| summarize arg_max(TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, SensitivityLabelTrigger, SensitivityLabel, SensitivityLabelDetails, SourceScanId) by AssetPath \r\n| project TimeGenerated, PurviewTenantId, PurviewAccountName, PurviewRegion, AssetName, AssetPath, AssetType, AssetCreationTime, AssetModifiedTime, AssetLastScanTime, FileExtension, FileSize, ActivityType, SensitivityLabelTrigger, SensitivityLabel, SensitivityLabelDetails, SourceName, SourceType, SourcePath, SourceSubscriptionId, SourceRegion, SourceCollectionName, SourceScanId;\r\n\r\nlabelDrilldown",
"size": 0,
"showAnalytics": true,
"title": "Sensitivity Labels Drilldown- Asset Level",
@ -1337,10 +1270,6 @@
"columnMatch": "PurviewTenantId",
"formatter": 5
},
{
"columnMatch": "PurviewSubscriptionId",
"formatter": 5
},
{
"columnMatch": "PurviewAccountName",
"formatter": 5
@ -1349,34 +1278,6 @@
"columnMatch": "PurviewRegion",
"formatter": 5
},
{
"columnMatch": "SourceName",
"formatter": 5
},
{
"columnMatch": "SourceType",
"formatter": 5
},
{
"columnMatch": "SourcePath",
"formatter": 5
},
{
"columnMatch": "SourceSubscriptionId",
"formatter": 5
},
{
"columnMatch": "SourceRegion",
"formatter": 5
},
{
"columnMatch": "SourceCollectionName",
"formatter": 5
},
{
"columnMatch": "SourceOwner",
"formatter": 5
},
{
"columnMatch": "AssetName",
"formatter": 5
@ -1402,10 +1303,6 @@
"columnMatch": "AssetModifiedTime",
"formatter": 5
},
{
"columnMatch": "AssetOwner",
"formatter": 5
},
{
"columnMatch": "FileExtension",
"formatter": 5
@ -1418,6 +1315,94 @@
"columnMatch": "ActivityType",
"formatter": 5
},
{
"columnMatch": "SensitivityLabelTrigger",
"formatter": 5,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal"
},
"emptyValCustomText": "No Label"
}
},
{
"columnMatch": "SensitivityLabel",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal"
},
"emptyValCustomText": "No Label"
}
},
{
"columnMatch": "SensitivityLabelDetails",
"formatter": 5,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal"
},
"emptyValCustomText": "No Label"
}
},
{
"columnMatch": "SourceName",
"formatter": 5
},
{
"columnMatch": "SourceType",
"formatter": 5
},
{
"columnMatch": "SourcePath",
"formatter": 13,
"formatOptions": {
"linkTarget": "Resource",
"showIcon": true
}
},
{
"columnMatch": "SourceSubscriptionId",
"formatter": 5
},
{
"columnMatch": "SourceRegion",
"formatter": 5
},
{
"columnMatch": "SourceCollectionName",
"formatter": 5
},
{
"columnMatch": "SourceScanId",
"formatter": 5
},
{
"columnMatch": "SensitivityLabelName",
"formatter": 0,
"numberFormat": {
"unit": 0,
"options": {
"style": "decimal"
},
"emptyValCustomText": "No Label"
}
},
{
"columnMatch": "PurviewSubscriptionId",
"formatter": 5
},
{
"columnMatch": "SourceOwner",
"formatter": 5
},
{
"columnMatch": "AssetOwner",
"formatter": 5
},
{
"columnMatch": "ActivityTrigger",
"formatter": 5
@ -1434,10 +1419,6 @@
"columnMatch": "SensitivityLabelGuid",
"formatter": 5
},
{
"columnMatch": "SensitivityLabel",
"formatter": 5
},
{
"columnMatch": "UserId",
"formatter": 5