Azure 信息保护的分析和中央报告(公共预览版)Analytics and central reporting for Azure Information Protection (public preview)

适用范围:Azure 信息保护Applies to: Azure Information Protection

相关内容:AIP 统一标记客户端和经典客户端Relevant for: AIP unified labeling client and classic client*

备注

为了提供统一、简化的客户体验,Azure 门户中的 Azure 信息保护经典客户端和标签管理将于 2021 年 3 月 31 日弃用 。To provide a unified and streamlined customer experience, Azure Information Protection classic client and Label Management in the Azure Portal are being deprecated as of March 31, 2021. 在此时间框架内,所有 Azure 信息保护客户都可以使用 Microsoft 信息保护统一标记平台转换到我们的统一标记解决方案。This time-frame allows all current Azure Information Protection customers to transition to our unified labeling solution using the Microsoft Information Protection Unified Labeling platform. 有关详细信息,请参阅官方弃用通知Learn more in the official deprecation notice.

本文介绍如何将 Azure 信息保护 (AIP) 分析用于中央报告,这可以帮助跟踪对组织数据进行分类和保护的标签的采用情况。This article describes how to use Azure Information Protection (AIP) analytics for central reporting, which can help you track the adoption of your labels that classify and protect your organization's data.

AIP 分析还能让你执行以下步骤:AIP analytics also enable you to do perform the following steps:

  • 监控组织中带标签和受保护的文档以及电子邮件Monitor labeled and protected documents and emails across your organization

  • 标识包含组织中的敏感信息的文档Identify documents that contain sensitive information within your organization

  • 监控用户对带标签文档和电子邮件的访问,并跟踪文档分类更改。Monitor user access to labeled documents and emails, and track document classification changes.

  • 确定包含敏感信息且若未保护则可能给组织带来风险的文档,并按照以下建议缓解风险。Identify documents that contain sensitive information that might be putting your organization at risk if they are not protected, and mitigate your risk by following recommendations.

  • 确定内部或外部用户从 Windows 计算机访问受保护文档的时间,以及是授予还是拒绝访问。Identify when protected documents are accessed by internal or external users from Windows computers, and whether access was granted or denied.

看到的数据是从 Azure 信息保护客户端和扫描程序、从 Microsoft Cloud App Security、从使用 Microsoft Defender 高级威胁防护的 Windows 10 计算机以及从保护使用情况日志聚合而来。The data that you see is aggregated from your Azure Information Protection clients and scanners, from Microsoft Cloud App Security, from Windows 10 computers using Microsoft Defender Advanced Threat Protection, and from protection usage logs.

用于中央报告的 Azure 信息保护分析当前以预览版提供。Azure Information Protection analytics for central reporting is currently in PREVIEW. Azure 预览版补充条款包含适用于 beta 版、预览版或其他尚未正式发布的 Azure 功能的其他法律条款。The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

AIP 报告数据AIP reporting data

例如,用于中央报告的 Azure 信息保护分析会显示以下数据:For example, the Azure Information Protection analytics for central reporting displays the following data:

报表Report 显示的示例数据Sample data shown
使用情况报告Usage report 选择时间段以显示以下任何内容:Select a time period to show any of the following:

- 应用的标签- Which labels are being applied

- 标记的文档和电子邮件数量- How many documents and emails are being labeled

- 保护的文档和电子邮件数量- How many documents and emails are being protected

- 标记文档和电子邮件的用户数量和设备数量- How many users and how many devices are labeling documents and emails

- 用于标记的应用程序- Which applications are being used for labeling
活动日志Activity logs 选择时间段以显示以下任何内容:Select a time period to show any of the following:

- 从扫描的存储库中删除了扫描程序以前发现的哪些文件- Which files previously discovered by scanner were deleted from the scanned repository

- 特定用户执行了哪些标记操作- What labeling actions were performed by a specific user

- 从特定设备执行了哪些标记操作- What labeling actions were performed from a specific device

- 已访问特定标记文档的用户- Which users have accessed a specific labeled document

- 对特定文件路径执行了哪些标记操作- What labeling actions were performed for a specific file path

- 特定应用程序(如文件资源管理器和右键单击、PowerShell、扫描程序或 Microsoft Cloud App Security)执行了哪些标记操作- What labeling actions were performed by a specific application, such File Explorer and right-click, PowerShell, the scanner, or Microsoft Cloud App Security

- 用户成功访问或拒绝用户访问了哪些受保护文档(即使这些用户未安装 Azure 信息保护客户端或在组织外部)- Which protected documents were accessed successfully by users or denied access to users, even if those users don't have the Azure Information Protection client installed or are outside your organization

- 有关更多信息,请进一步查看报告的文件以查看“活动详细信息”- Drill down into reported files to view Activity Details for additional information
数据发现报告Data discovery report - 哪些文件位于扫描的数据存储库、Windows 10 计算机或运行 Azure 信息保护客户端的计算机上- What files are on your scanned data repositories, Windows 10 computers, or computers running the Azure Information Protection clients

- 标记和保护了哪些文件,以及按标签列出的文件位置- Which files are labeled and protected, and the location of files by labels

- 哪些文件包含已知类别的敏感信息(例如财务数据和个人信息),以及按这些类别列出的文件位置- Which files contain sensitive information for known categories, such as financial data and personal information, and the location of files by these categories
建议报告Recommendations report - 标识包含已知敏感信息类型的未受保护文件。- Identify unprotected files that contain a known sensitive information type. 按照建议操作,可立即对其中一个标签配置相应的条件,以应用自动标签或推荐的标签。A recommendation lets you immediately configure the corresponding condition for one of your labels to apply automatic or recommended labeling.
如果遵循建议:在用户下次打开或 Azure 信息保护扫描程序下次扫描文件时,这些文件可自动分类并受到保护。

If you follow the recommendation
: The next time the files are opened by a user or scanned by the Azure Information Protection scanner, the files can be automatically classified and protected.


- 哪些数据存储库的文件具有标识的敏感信息,但未经过 Azure 信息保护扫描。- Which data repositories have files with identified sensitive information but are not being scanned by the Azure Information Protection. 按照建议操作,可立即向扫描程序的某个配置文件添加已标识的数据存储。A recommendation lets you immediately add the identified data store to one of your scanner's profiles.
如果遵循建议:在下一次扫描程序周期,文件可自动分类并受到保护。If you follow the recommendation: On the next scanner cycle, the files can be automatically classified and protected.

报表使用 Azure Monitor 将数据存储在组织拥有的 Log Analytics 工作区中。The reports use Azure Monitor to store the data in a Log Analytics workspace that your organization owns. 如果你熟悉查询语言,可以修改这些查询,并创建新报表和 Power BI 仪表板。If you're familiar with the query language, you can modify the queries, and create new reports and Power BI dashboards. 你可能会发现以下教程有助于了解查询语言:Azure Monitor 日志查询入门You might find the following tutorial helpful to understand the query language: Get started with Azure Monitor log queries.

有关详细信息,请参阅以下博客文章:For more information, read the following blog posts:

收集和发送到 Microsoft 的信息Information collected and sent to Microsoft

为了生成这些报表,终结点将以下类型的信息发送到 Microsoft:To generate these reports, endpoints send the following types of information to Microsoft:

  • 标签操作。The label action. 例如,设置标签、更改标签、添加或删除保护、自动和建议的标签。For example, set a label, change a label, add or remove protection, automatic and recommended labels.

  • 标签操作之前和之后的标签名称。The label name before and after the label action.

  • 组织的租户 ID。Your organization's tenant ID.

  • 用户 ID(电子邮件地址或 UPN)。The user ID (email address or UPN).

  • 用户设备的名称。The name of the user's device.

  • 用户设备的 IP 地址。The IP address of the user's device.

  • 相关进程名称,如 outlook 或 msip.app 。The relevant process name, such as outlook or msip.app.

  • 执行标记的应用程序的名称,如 Outlook 或文件资源管理器 The name of the application that performed the labeling, such as Outlook or File Explorer

  • 对于文档:被标记的文档的文件路径和文件名。For documents: The file path and file name of documents that are labeled.

  • 对于电子邮件:带标签的电子邮件的电子邮件主题和电子邮件发件人。For emails: The email subject and email sender for emails that are labeled.

  • 在内容中已检测到的敏感信息类型(预定义和自定义)。The sensitive information types (predefined and custom) that were detected in content.

  • Azure 信息保护客户端版本。The Azure Information Protection client version.

  • 客户端操作系统版本。The client operating system version.

此信息存储在组织拥有的 Azure Log Analytics 工作区中,并可供有权访问此工作区的用户从 Azure 信息保护独立查看。This information is stored in an Azure Log Analytics workspace that your organization owns and can be viewed independently from Azure Information Protection by users who have access rights to this workspace.

有关详细信息,请参阅:For more details, see:

阻止 AIP 客户端发送审核数据Prevent the AIP clients from sending auditing data

统一标记客户端Unified labeling client

若要阻止 Azure 信息保护统一标记客户端发送审核数据,请配置标签策略高级设置To prevent the Azure Information Protection unified labeling client from sending auditing data, configure a label policy advanced setting.

经典客户端Classic client

若要阻止 Azure 信息保护经典客户端发送此数据,请将“将审核数据发送到 Azure 信息保护分析”的策略设置设置为“关闭”:To prevent the Azure Information Protection classic client from sending this data, set the policy setting of Send audit data to Azure Information Protection analytics to Off:

要求Requirement 说明Instructions
配置大多数用户以发送数据,使一部分用户无法发送数据To configure most users to send data, with a subset of users who cannot send data 在部分用户的作用域内策略中将“将审核数据发送到 Azure 信息保护分析”设置为“关闭”。Set Send audit data to Azure Information Protection analytics to Off in a scoped policy for the subset of users.

此配置专用于生产方案。This configuration is typical for production scenarios.
仅配置发送数据的部分用户To configure only a subset of users who send data 在全局策略中将“将审核数据发送到 Azure 信息保护分析”设置为“关闭”,在部分用户的作用域内策略中设置为“打开” 。Set Send audit data to Azure Information Protection analytics to Off in the global policy, and On in a scoped policy for the subset of users.

此配置专用于测试方案。This configuration is typical for testing scenarios.

更深入分析的内容匹配项Content matches for deeper analysis

Azure 信息保护使你可以收集和存储标识为敏感信息类型(预定义或自定义)的实际数据。Azure Information Protection lets you collect and store the actual data that's identified as being a sensitive information type (predefined or custom). 例如,这可以包括查找到的信用卡号码,以及社会安全号码、护照号码和银行帐户号码。For example, this can include credit card numbers that are found, as well as social security numbers, passport numbers, and bank account numbers. 从“活动日志”中选择条目并查看“活动详细信息”时,会显示内容匹配项 。The content matches are displayed when you select an entry from Activity logs, and view the Activity Details.

默认情况下,Azure 信息保护客户端不发送内容匹配项。By default, Azure Information Protection clients don't send content matches. 若要更改此行为以便发送内容匹配项,请执行以下操作:To change this behavior so that content matches are sent:

客户端Client 说明Instructions
统一标记客户端Unified labeling client 在标签策略中配置高级设置Configure an advanced setting in a label policy.
经典客户端Classic client 选中一个复选框作为 Azure 信息保护分析配置的一部分。Select a checkbox as part of the configuration for Azure Information Protection analytics. 该复选框名为“启用对敏感数据的更深入分析”。The checkbox is named Enable deeper analytics into your sensitive data.

如果希望使用此客户端的大多数用户发送内容匹配项,但部分用户无法发送内容匹配项,请选中该复选框,然后在部分用户的作用域内策略中配置高级客户端设置If you want most users who are using this client to send content matches but a subset of users cannot send content matches, select the checkbox and then configure an advanced client setting in a scoped policy for the subset of users.

先决条件Prerequisites

若要查看 Azure 信息保护报表和创建你自己的报表,请确保满足以下要求。To view the Azure Information Protection reports and create your own, make sure that the following requirements are in place.

要求Requirement 详细信息Details
Azure 订阅An Azure subscription Azure 订阅必须在与 Azure 信息保护相同的租户上包含 Log Analytics。Your Azure subscription must include Log Analytics on the same tenant as Azure Information Protection.

有关详细信息,请参阅 定价页。For more information, see the Azure Monitor pricing page.

如果没有 Azure 订阅或当前未使用 Azure Log Analytics,定价页将包含免费试用版的链接。If you don't have an Azure subscription or you don't currently use Azure Log Analytics, the pricing page includes a link for a free trial.
审核日志记录 URL 网络连接Audit logging URL network connectivity AIP 必须能够访问以下 URL,以便支持 AIP 审核日志:AIP must be able to access the following URLs in order to support AIP audit logs:
- https://*.events.data.microsoft.com
- https://*.aria.microsoft.com(仅限 Android 设备数据)- https://*.aria.microsoft.com (Android device data only)
Azure 信息保护客户端Azure Information Protection client 用于从客户端进行报告。For reporting from the client.

如果尚未安装客户端,则可以从 Microsoft 下载中心下载并安装统一标记客户端。If you don't already have a client installed, you can download and install the unified labeling client from the Microsoft Download Center.

注意:统一标记客户端和经典客户端都受到支持。Note: Both the unified labeling client and the classic client are supported. 若要部署 AIP 经典客户端,请打开支持票证以获取下载访问权限。To deploy the AIP classic client, open a support ticket to get download access.
Azure 信息保护本地扫描程序Azure Information Protection on-premises scanner 用于从本地数据存储进行报告。For reporting from on-premises data stores.

有关详细信息,请参阅部署 Azure 信息保护扫描程序以自动对文件进行分类和保护For more information, see Deploying the Azure Information Protection scanner to automatically classify and protect files.
Microsoft Cloud App Security (MCAS)Microsoft Cloud App Security (MCAS) 用于从基于云的数据存储进行报告。For reporting from cloud-based data stores.

有关详细信息,请参阅 MCAS 文档中的 Azure 信息保护集成For more information, see Azure Information Protection integration in the MCAS documentation.
最低内部版本1809,带有 Microsoft Defender 高级威胁防护 (Microsoft Defender ATP)Minimum build of 1809 with Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) 用于从 Windows 10 计算机进行报告。For reporting from Windows 10 computers.

必须从 Microsoft Defender 安全中心启用 Azure 信息保护集成功能。You must enable the Azure Information Protection integration feature from Microsoft Defender Security Center.

有关详细信息,请参阅 Windows 中的信息保护概述For more information, see Information protection in Windows overview.

Azure 信息保护分析必备的先决条件Permissions required for Azure Information Protection analytics

针对 Azure 信息保护分析,在配置 Azure Log Analytics 工作区后,可以使用安全读取者的 Azure AD 管理员角色替代 Azure 门户中支持管理 Azure 信息保护的其他 Azure AD 角色。Specific to Azure Information Protection analytics, after you have configured your Azure Log Analytics workspace, you can use the Azure AD administrator role of Security Reader as an alternative to the other Azure AD roles that support managing Azure Information Protection in the Azure portal. 仅当租户不在统一标记平台上时,才支持此附加角色。This additional role is supported only if your tenant isn't on the unified labeling platform.

由于 Azure 信息保护分析功能使用 Azure 监视,因此 Azure 的基于角色的访问控制 (RBAC) 也控制对工作区的访问。Because Azure Information Protection analytics uses Azure Monitoring, role-based access control (RBAC) for Azure also controls access to your workspace. 因此,需要 Azure 角色以及 Azure AD 管理员角色来管理 Azure 信息保护分析。You therefore need an Azure role as well as an Azure AD administrator role to manage Azure Information Protection analytics. 如果刚开始接触 Azure 角色,阅读 Azure RBAC 角色与 Azure AD 管理员角色的区别可能会对你有所帮助。If you're new to Azure roles, you might find it useful to read Differences between Azure RBAC roles and Azure AD administrator roles.

有关详情,请参阅:For more information, see:

所需 Azure AD 管理员角色Required Azure AD administrator roles

必须具备以下 Azure AD 管理员角色之一才能访问 Azure 信息保护分析窗格:You must have one of the following Azure AD administrator roles to access the Azure Information Protection analytics pane:

  • 若要创建 Log Analytics 工作区或创建自定义查询,必须具有以下角色之一:To create your Log Analytics workspace or to create custom queries:

    • Azure 信息保护管理员Azure Information Protection administrator
    • 安全管理员Security administrator
    • 法规管理员Compliance administrator
    • 合规性数据管理员Compliance data administrator
    • 全局管理员Global administrator
  • 创建工作区之后,随后可以使用具有较少权限的以下角色来查看所收集的数据:After the workspace has been created, you can then use the following roles with fewer permissions to view the data collected:

    • 安全读取者Security reader
    • 全局读取者Global reader

所需 Azure Log Analytics 角色Required Azure Log Analytics roles

必须具备以下 Azure Log Analytics 角色或标准 Azure 角色之一才能访问 Azure Log Analytics 工作区:You must have one of the following Azure Log Analytics roles or standard Azure roles to access your Azure Log Analytics workspace:

  • 若要创建该工作区或创建自定义查询,必须具有以下角色之一:To create the workspace or to create custom queries, one of the following:

    • Log Analytics 参与者Log Analytics Contributor
    • 参与者Contributor
    • 所有者Owner
  • 创建该工作区后,可以使用具有较少权限的以下角色之一来查看收集的数据:After the workspace has been created, you can then use one of the following roles with fewer permissions to view the data collected:

    • Log Analytics 读者Log Analytics Reader
    • 读者Reader

查看报表至少需要的角色Minimum roles to view the reports

为 Azure 信息保护分析配置工作区后,查看 Azure 信息保护分析报表至少需要具备以下两种角色:After you have configured your workspace for Azure Information Protection analytics, the minimum roles needed to view the Azure Information Protection analytics reports are both of the following:

  • Azure AD 管理员角色:安全读取者Azure AD administrator role: Security reader
  • Azure 角色:Log Analytics 读者Azure role: Log Analytics Reader

但是,许多组织的典型角色分配是 Azure AD 角色“安全读取者”以及 Azure 角色“读取者”。However, a typical role assignment for many organizations is the Azure AD role of Security reader and the Azure role of Reader.

存储要求和数据保留Storage requirements and data retention

对于每个租户,在 Azure 信息保护工作区中收集和存储的数据量会因各种因素(例如所拥有的 Azure 信息保护客户端和其他受支持终结点数量、是否在收集终结点发现数据、是否部署了扫描程序、所访问的受保护文档数量等)而相差很大。The amount of data collected and stored in your Azure Information Protection workspace will vary significantly for each tenant, depending on factors such as how many Azure Information Protection clients and other supported endpoints you have, whether you're collecting endpoint discovery data, you've deployed scanners, the number of protected documents that are accessed, and so on.

然而作为起点,你可能会发现以下估计值非常有用:However, as a starting point, you might find the following estimates useful:

  • 仅对于 Azure 信息保护客户端生成的审核数据:每月每 10,000 个活动用户 2 GB。For audit data generated by Azure Information Protection clients only: 2 GB per 10,000 active users per month.

  • 对于 Azure 信息保护客户端、扫描程序和 Microsoft Defender ATP 生成的审核数据:每月每 10,000 个活动用户 20 GB。For audit data generated by Azure Information Protection clients, scanners, and Microsoft Defender ATP: 20 GB per 10,000 active users per month.

如果你使用强制标记,或者为大多数用户配置了默认标签,则费率可能会显著提高。If you use mandatory labeling or you've configured a default label for most users, your rates are likely to be significantly higher.

Azure Monitor 日志具有“使用情况和估计成本”功能,可帮助估计和查看存储的数据量,你还可以控制 Log Analytics 工作区的数据保留期。Azure Monitor Logs has a Usage and estimated costs feature to help you estimate and review the amount of data stored, and you can also control the data retention period for your Log Analytics workspace. 有关详细信息,请参阅通过 Azure Monitor 日志管理使用情况和成本For more information, see Manage usage and costs with Azure Monitor Logs.

配置报表的 Log Analytics 工作区Configure a Log Analytics workspace for the reports

备注

Azure 中国门户尚不支持 Azure 信息保护,你可以使用 Azure Information Protection PowerShell commands 实现相同的功能。Azure Information Protection is not currently supported on Azure China portal. You can achieve the same functionality using the Azure Information Protection PowerShell commands.

  1. 如果尚未这样做,请打开新的浏览器窗口,使用拥有执行 Azure 信息保护分析所需权限的帐户登录 Azure 门户If you haven't already done so, open a new browser window and sign in to the Azure portal with an account that has the permissions required for Azure Information Protection analytics. 然后导航到“Azure 信息保护”窗格。Then navigate to the Azure Information Protection pane.

    例如,在资源、服务和文档的搜索框中:开始键入“信息”并选择“Azure 信息保护”。For example, in the search box for resources, services, and docs: Start typing Information and select Azure Information Protection.

  2. 找到“管理”菜单选项,然后选择“配置分析(预览版)” 。Locate the Manage menu options, and select Configure analytics (Preview).

  3. 在“Azure 信息保护日志分析”窗格上,可以看到由你的租户拥有的任何 Log Analytics 工作区的列表。On the Azure Information Protection log analytics pane, you see a list of any Log Analytics workspaces that are owned by your tenant. 执行下列操作之一:Do one of the following:

    • 若要新建 Log Analytics 工作区:选择“新建工作区”,并在“Log Analytics 工作区”窗格上提供所需信息 。To create a new Log Analytics workspace: Select Create new workspace, and on the Log analytics workspace pane, supply the requested information.

    • 若要使用现有 Log Analytics 工作区:从列表中选择工作区。To use an existing Log Analytics workspace: Select the workspace from the list.

    如果需要关于创建 Log Analytics 工作区的帮助,请参阅在 Azure 门户中创建 Log Analytics 工作区If you need help with creating the Log Analytics workspace, see Create a Log Analytics workspace in the Azure portal.

  4. 仅限 AIP 经典客户端:如果要存储标识为敏感信息类型的实际数据,请选中复选框“启用对敏感数据的更深入分析” 。AIP classic client only: Select the checkbox Enable deeper analytics into your sensitive data if you want to store the actual data that's identified as being a sensitive information type.

    有关此设置的详细信息,请参阅此页上的更深入分析的内容匹配项部分。For more information about this setting, see the Content matches for deeper analysis section on this page.

  5. 选择“确定”。Select OK.

你现在可以查看报告。You're now ready to view the reports.

查看 AIP 分析报告View the AIP analytics reports

在“Azure 信息保护”窗格中,找到“仪表板”菜单选项,然后选择下列选项之一:From the Azure Information Protection pane, locate the Dashboards menu options, and select one of the following options:

报表Report 说明Description
使用情况报告(预览版)Usage report (Preview) 使用此报表查看标签是如何使用的。Use this report to see how your labels are being used.
活动日志(预览版)Activity logs (Preview) 使用此报表查看用户执行的标记操作,以及设备上和对文件路径执行的标记操作。Use this report to see labeling actions from users, and on devices and file paths. 此外,对于受保护文档,可以查看在组织内部和外部的用户进行的访问尝试(成功或拒绝),即使他们没有安装 Azure 信息保护客户端。In addition, for protected documents, you can see access attempts (successful or denied) for users both inside and outside your organization, even if they don't have the Azure Information Protection client installed.

此报表有“列”选项,可用于显示比默认显示更多的活动信息。This report has a Columns option that lets you display more activity information than the default display. 还可以选择它来显示“活动详细信息”,方便查看文件相关的更多详细信息。You can also see more details about a file by selecting it to display Activity Details.
数据发现(预览版)Data discovery (Preview) 使用此报表查看扫描程序发现的带标签文件和受支持的终结点的相关信息。Use this report to see information about labeled files found by scanners and supported endpoints.

提示:在收集的信息中,你可能会发现用户从你不知道或当前未扫描的位置访问包含敏感信息的文件:Tip: From the information collected, you might find users accessing files that contain sensitive information from location that you didn't know about or aren't currently scanning:

- 如果位置是在本地,请考虑将位置添加为 Azure 信息保护扫描程序的其他数据存储库。- If the locations are on-premises, consider adding the locations as additional data repositories for the Azure Information Protection scanner.
- 如果这些位置在云中,请考虑使用 Microsoft Cloud App Security 对其进行管理。- If the locations are in the cloud, consider using Microsoft Cloud App Security to manage them.
建议(预览版)Recommendations (Preview) 使用此报告来确定包含敏感信息的文件,并按照建议缓解风险。Use this report to identify files that have sensitive information and mitigate your risk by following the recommendations.

选择项目时,“查看数据”选项将显示触发了建议的审核活动。When you select an item, the View data option displays the audit activities that triggered the recommendation.

修改 AIP 分析报告并创建自定义查询Modify the AIP analytics reports and create custom queries

选择仪表板中的查询图标以打开“日志搜索”窗格:Select the query icon in the dashboard to open a Log Search pane:

自定义 Azure 信息保护报表的 Log Analytics 图标

Azure 信息保护的记录数据存储在下表中:InformationProtectionLogs_CLThe logged data for Azure Information Protection is stored in the following table: InformationProtectionLogs_CL

创建你自己的查询时,请使用已作为 InformationProtectionEvents 函数实现的友好架构名称。When you create your own queries, use the friendly schema names that have been implemented as InformationProtectionEvents functions. 这些函数派生自自定义查询支持的属性(某些属性仅供内部使用),它们的名称不会随时间的推移而发生更改,即使在更改基础属性以实现改进功能和新功能时也不例外。These functions are derived from the attributes that are supported for custom queries (some attributes are for internal use only) and their names will not change over time, even if the underlying attributes change for improvements and new functionality.

事件函数的友好架构参考Friendly schema reference for event functions

使用下表来标识可用于通过 Azure 信息保护分析进行自定义查询的事件函数的友好名称。Use the following table to identify the friendly name of event functions that you can use for custom queries with Azure Information Protection analytics.

列名称Column name 说明Description
时间Time 事件时间:UTC,格式为 YYYY-MM-DDTHH:MM:SSEvent time: UTC in format YYYY-MM-DDTHH:MM:SS
用户User 用户:格式为 UPN 或“域\用户”User: Format UPN or DOMAIN\USER
ItemPathItemPath 完整项目路径或电子邮件主题Full item path or email subject
ItemNameItemName 文件名或电子邮件主题File name or email subject
方法Method 标签分配方法:Manual、Automatic、Recommended、Default 或 MandatoryLabel assigned method: Manual, Automatic, Recommended, Default, or Mandatory
活动Activity 审核活动: DowngradeLabel、UpgradeLabel、RemoveLabel、NewLabel、Discover、Access、RemoveCustomProtection、ChangeCustomProtection、NewCustomProtection 或 FileRemovedAudit activity: DowngradeLabel, UpgradeLabel, RemoveLabel, NewLabel, Discover, Access, RemoveCustomProtection, ChangeCustomProtection, NewCustomProtection, or FileRemoved
ResultStatusResultStatus 操作的结果状态:Result status of the action:

Succeeded 或 Failed(仅由 AIP 扫描程序报告)Succeeded or Failed (reported by AIP scanner only)
ErrorMessage_sErrorMessage_s 如果 ResultStatus=Failed,则包括错误消息详细信息。Includes Error message details if ResultStatus=Failed. 仅由 AIP 扫描程序报告Reported by AIP scanner only
LabelNameLabelName 标签名称(未本地化)Label name (not localized)
LabelNameBeforeLabelNameBefore 更改前的标签名称(未本地化)Label name before change (not localized)
ProtectionTypeProtectionType 保护类型 [JSON]Protection type [JSON]
{{
"Type": ["Template", "Custom", "DoNotForward"],"Type": ["Template", "Custom", "DoNotForward"],
"TemplateID": "GUID""TemplateID": "GUID"
}}
ProtectionBeforeProtectionBefore 更改前的保护类型 [JSON]Protection type before change [JSON]
MachineNameMachineName FQDN(可用时);否则为主机名FQDN when available; otherwise host name
DeviceRiskDeviceRisk 来自 WDATP 的设备风险评分(可用时)Device risk score from WDATP when available
平台Platform 设备平台(Win、OSX、Android、iOS)Device platform (Win, OSX, Android, iOS)
ApplicationNameApplicationName 应用程序友好名称Application friendly name
AIPVersionAIPVersion 执行审核操作的 Azure 信息保护客户端的版本Version of the Azure Information Protection client that performed the audit action
TenantIdTenantId Azure AD 租户 IDAzure AD tenant ID
AzureApplicationIdAzureApplicationId Azure AD 注册的应用程序 ID (GUID)Azure AD registered application ID (GUID)
ProcessNameProcessName 承载 MIP SDK 的进程Process that hosts MIP SDK
LabelIdLabelId 标签 GUID 或 nullLabel GUID or null
IsProtectedIsProtected 是否受保护:Yes/NoWhether protected: Yes/No
ProtectionOwnerProtectionOwner UPN 格式的 Rights Management 所有者Rights Management owner in UPN format
LabelIdBeforeLabelIdBefore 更改前的标签 GUID 或 nullLabel GUID or null before change
InformationTypesAbove55InformationTypesAbove55 在数据中发现的 SensitiveInformation 的 JSON 数组(置信度为 55 或更高)JSON array of SensitiveInformation found in data with confidence level 55 or above
InformationTypesAbove65InformationTypesAbove65 在数据中发现的 SensitiveInformation 的 JSON 数组(置信度为 65 或更高)JSON array of SensitiveInformation found in data with confidence level 65 or above
InformationTypesAbove75InformationTypesAbove75 在数据中发现的 SensitiveInformation 的 JSON 数组(置信度为 75 或更高)JSON array of SensitiveInformation found in data with confidence level 75 or above
InformationTypesAbove85InformationTypesAbove85 在数据中发现的 SensitiveInformation 的 JSON 数组(置信度为 85 或更高)JSON array of SensitiveInformation found in data with confidence level 85 or above
InformationTypesAbove95InformationTypesAbove95 在数据中发现的 SensitiveInformation 的 JSON 数组(置信度为 95 或更高)JSON array of SensitiveInformation found in data with confidence level 95 or above
DiscoveredInformationTypesDiscoveredInformationTypes 在数据中发现的 SensitiveInformation 的 JSON 数组及其匹配内容(如果已启用),其中空数组表示未发现任何信息类型,null 表示无可用信息JSON array of SensitiveInformation found in data and their matched content (if enabled) where an empty array means no information types found, and null means no information available
ProtectedBeforeProtectedBefore 内容在更改前是否受保护:Yes/NoWhether the content was protected before change: Yes/No
ProtectionOwnerBeforeProtectionOwnerBefore 更改前的 Rights Management 所有者Rights Management owner before change
UserJustificationUserJustification 降级或删除标签时的理由Justification when downgrading or removing label
LastModifiedByLastModifiedBy 上次修改文件的用户(UPN 格式)。User in UPN format who last modified the file. 仅可用于 Office 和 SharePointAvailable for Office and SharePoint only
LastModifiedDateLastModifiedDate UTC,格式为 YYYY-MM-DDTHH:MM:SS:仅可用于 Office 和 SharePointUTC in format YYYY-MM-DDTHH:MM:SS: Available for Office and SharePoint only

使用 InformationProtectionEvents 的示例Examples using InformationProtectionEvents

使用以下示例了解如何使用友好的架构来创建自定义查询。Use the following examples to see how you might use the friendly schema to create custom queries.

示例 1:返回在过去 31 天内发送审核数据的所有用户Example 1: Return all users who sent audit data in the last 31 days
InformationProtectionEvents 
| where Time > ago(31d) 
| distinct User 
示例 2:返回在过去 31 天内每天降级的标签数Example 2: Return the number of labels that were downgraded per day in the last 31 days
InformationProtectionEvents 
| where Time > ago(31d) 
| where Activity == "DowngradeLabel"  
| summarize Label_Downgrades_per_Day = count(Activity) by bin(Time, 1d) 
 
示例 3:返回在过去 31 天内用户从“机密”降级的标签数Example 3: Return the number of labels that were downgraded from Confidential by user, in the last 31 days

InformationProtectionEvents 
| where Time > ago(31d) 
| where Activity == "DowngradeLabel"  
| where LabelNameBefore contains "Confidential" and LabelName !contains "Confidential"  
| summarize Label_Downgrades_by_User = count(Activity) by User | sort by Label_Downgrades_by_User desc 

在此示例中,仅当操作前的标签名包含名称“机密”且操作后的标签名不包含名称“机密”时,才会对降级的标签计数。In this example, a downgraded label is counted only if the label name before the action contained the name Confidential and the label name after the action didn't contain the name of Confidential.

后续步骤Next steps

查看报告中的信息后,如果使用的是 Azure 信息保护客户端,则可以决定对标记策略进行更改。After reviewing the information in the reports, if you are using the Azure Information Protection client, you might decide to make changes to your labeling policy.

  • 统一标记客户端:在标记管理中心(包括 Microsoft 365 安全中心、Microsoft 365 合规中心或 Microsoft 365 安全与合规中心)对标记策略进行更改。Unified labeling client: Make changes to your labeling policy in your labeling admin center, including the Microsoft 365 security center, Microsoft 365 compliance center, or the Microsoft 365 Security & Compliance Center. 有关详细信息,请参阅 Microsoft 365 文档For more information, see the Microsoft 365 documentation.

  • 经典客户端:在 Azure 门户中对策略进行更改。Classic client: Make changes to your policy in the Azure portal. 有关详细信息,请参阅配置 Azure 信息保护策略For more information, see Configuring the Azure Information Protection policy.

如果你有 Microsoft 365 订阅,则还可以在 Microsoft 365 合规中心和 Microsoft 365 安全中心中查看标签使用情况。If you have a Microsoft 365 subscription, you can also view label usage in the Microsoft 365 compliance center and Microsoft 365 security center. 有关详细信息,请参阅使用标签分析查看标签使用情况For more information, see View label usage with label analytics.

AIP 审核日志还将发送到 Microsoft 365 活动资源管理器中,在其中可能会以不同的名称显示。AIP audit logs are also sent to the Microsoft 365 Activity Explorer, where they may be displayed with different names. 有关详情,请参阅:For more information, see: