Integrate Microsoft Purview with Azure security products

This document explains the steps required for connecting a Microsoft Purview account with various Azure security products to enrich security experiences with data classifications and sensitivity labels.

Microsoft Defender for Cloud

Microsoft Purview provides rich insights into the sensitivity of your data. This makes it valuable to security teams using Microsoft Defender for Cloud to manage the organization’s security posture and protect against threats to their workloads. Data resources remain a popular target for malicious actors, making it crucial for security teams to identify, prioritize, and secure sensitive data resources across their cloud environments. The integration with Microsoft Purview expands visibility into the data layer, enabling security teams to prioritize resources that contain sensitive data.

Supported data sources

The integration supports data sources in Azure and AWS; sensitive data discovered in these resources is shared with Microsoft Defender for Cloud:

• Azure Blob Storage
• Azure Cosmos DB
• Azure Data Explorer
• Azure Data Lake Storage Gen1
• Azure Data Lake Storage Gen2
• Azure Files
• Azure Database for MySQL
• Azure Database for PostgreSQL
• Azure SQL Managed Instance
• Azure Dedicated SQL pool (formerly SQL DW)
• Azure SQL Database
• Azure Synapse Analytics (Workspace)

Known issues

• Data sensitivity information is currently not shared for sources hosted inside virtual machines - like SAP, and Erwin.
• Data sensitivity information is currently not shared for Azure PaaS data sources registered using a connection string.
• Unregistering the data source in Microsoft Purview doesn't remove the data sensitivity enrichment in Microsoft Defender for Cloud.
• Deleting the Microsoft Purview account will persist the data sensitivity enrichment for 30 days in Microsoft Defender for Cloud.
• Custom classifications defined in the Microsoft Purview compliance portal or Microsoft Purview governance portal aren't shared with Microsoft Defender for Cloud.

FAQ

Microsoft Sentinel

Microsoft Sentinel is a scalable, cloud-native, solution for both security information and event management (SIEM), and security orchestration, automation, and response (SOAR). Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for attack detection, threat visibility, proactive hunting, and threat response.

Integrate Microsoft Purview with Microsoft Sentinel to gain visibility into where on your network sensitive information is stored, in a way that helps you prioritize at-risk data for protection, and understand the most critical incidents and threats to investigate in Microsoft Sentinel.

1. Start by ingesting your Microsoft Purview logs into Microsoft Sentinel through a data source.
2. Then use a Microsoft Sentinel workbook to view data such as assets scanned, classifications found, and labels applied by Microsoft Purview.
3. Use analytics rules to create alerts for changes within data sensitivity.

Customize the Microsoft Purview workbook and analytics rules to best suit the needs of your organization, and combine Microsoft Purview logs with data ingested from other sources to create enriched insights within Microsoft Sentinel.