How to set SensitiveInfoDetectionIsIncluded to true so CloudAppEvents schema returns data

Hello,

I have few incidents created for my purview policies and i see the incidents and alerts in Security.microsoft.com
i am running the following simple advance hunting query

CloudAppEvents

| where ActivityType == ‘Securityevent’

In the result i see

“SensitiveInfoDetectionIsIncluded”: false, under RawEventData

I understand that as long as this is false, i cannot see the forensic data (violating data) for the incident.

How can i set this value to true, so that i can get the forensic data.

My goal is to use graph api with advance hunting to retrieve this data so that i can load it into my application (End user remediation) as a case and educate the users about the violation.

“RawEventData”: {
“@odata.type”: “#microsoft.graph.security.dynamicColumnValue”,
“CreationTime”: “2024-07-22T12:46:33.0000000Z”,
“Id”: “fff346cc-***”,
“IncidentId”: “89630849-***”,
“ObjectId”: “<*.*.PROD.OUTLOOK.COM>”,
“Operation”: “DlpRuleMatch”,
“OrganizationId”: “***”,
“email address removed for privacy reasons”: “#Collection(String)”,
“PolicyDetails”: [
“{“PolicyId”:”2d7eb..”,”PolicyName”:”generate email incidents with block.”,”Rules”:[{“ActionParameters”:[“GenerateAlert:true”],”Actions”:[“BlockAccess”,”GenerateAlert”],”ConditionsMatched”:{“ConditionMatchedInNewScheme”:false,”OtherConditions”:[{“Name”:”From”,”Value”:”0f66…”}]},”ManagementRuleId”:”bbe..”,”RuleId”:”101e3f12-…”,”RuleMode”:”Enable”,”RuleName”:”Block emails with keyword”,”Severity”:”Medium”}]}”
],
“email address removed for privacy reasons”: “#Int64”,
“RecordType”: 13,
“SensitiveInfoDetectionIsIncluded”: false,
.
.
.

Hello,I have few incidents created for my purview policies and i see the incidents and alerts in Security.microsoft.com i am running the following simple advance hunting queryCloudAppEvents| where ActivityType == ‘Securityevent’ In the result i see “SensitiveInfoDetectionIsIncluded”: false, under RawEventDataI understand that as long as this is false, i cannot see the forensic data (violating data) for the incident. How can i set this value to true, so that i can get the forensic data. My goal is to use graph api with advance hunting to retrieve this data so that i can load it into my application (End user remediation) as a case and educate the users about the violation. “RawEventData”: {
“@odata.type”: “#microsoft.graph.security.dynamicColumnValue”,
“CreationTime”: “2024-07-22T12:46:33.0000000Z”,
“Id”: “fff346cc-***”,
“IncidentId”: “89630849-***”,
“ObjectId”: “<*.*.PROD.OUTLOOK.COM>”,
“Operation”: “DlpRuleMatch”,
“OrganizationId”: “***”,
“email address removed for privacy reasons”: “#Collection(String)”,
“PolicyDetails”: [
“{“PolicyId”:”2d7eb..”,”PolicyName”:”generate email incidents with block.”,”Rules”:[{“ActionParameters”:[“GenerateAlert:true”],”Actions”:[“BlockAccess”,”GenerateAlert”],”ConditionsMatched”:{“ConditionMatchedInNewScheme”:false,”OtherConditions”:[{“Name”:”From”,”Value”:”0f66…”}]},”ManagementRuleId”:”bbe..”,”RuleId”:”101e3f12-…”,”RuleMode”:”Enable”,”RuleName”:”Block emails with keyword”,”Severity”:”Medium”}]}”
],
“email address removed for privacy reasons”: “#Int64”,
“RecordType”: 13,
“SensitiveInfoDetectionIsIncluded”: false,
.
.
. Read More

Cart

Cart