Getting started with Microsoft DLP IR integration for data loss prevention

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Getting Started with Microsoft DLP IR Integration for Data Loss Prevention

    This guide provides essential information to set up Microsoft DLP Incident Response (IR) integration for data loss prevention (DLP) within ServiceNow. It outlines the necessary configurations, roles, and permissions required for a successful integration.

    Show full answer Show less

    Key Features

    • Microsoft Purview Credentials: Obtain credentials to fetch event data and access AWS/Azure Storage accounts for storing match content.
    • Application Registration: Register an application on Microsoft Azure to acquire Client ID, Client Secret, and Tenant ID.
    • Required Permissions: Ensure proper roles are assigned for reading/writing/deleting blobs in Azure and objects in AWS S3.
    • ServiceNow Roles: Admin roles are necessary for integration installation and configuration.
    • API Permissions: Specific permissions are required for accessing DLP events and user profiles in Microsoft services.

    Key Outcomes

    By following this setup, ServiceNow customers will be able to:

    • Integrate DLP events from Microsoft Purview into their ServiceNow instance.
    • Access sensitive information and manage DLP incidents effectively.
    • Utilize Azure Blob Storage or Amazon S3 for external storage of match content.

    Ensure that all necessary applications and permissions are in place to optimize the DLP IR integration experience.

    Review the following information before you start setting up your Microsoft DLP IR integration for data loss prevention.

    Table 1. Checklist
    Setup task Description

    Get the Microsoft Purview credentials to fetch the event data and AWS/Azure Storage account credentials to store the match content

    Register an application with the Microsoft identity platform

    		 Register an application on the Microsoft Azure platform from here to get the Client ID, Client Secret, and Tenant ID. For information on the Roles required for creating an application, see Prerequisites.

    For information on the API Permissions/Roles required on a Microsoft Azure application to configure it on ServiceNow Microsoft DLP integration, refer to the following table.
    Permissions required for Azure user to get the access of read/write/delete blob on Azure Storage The Azure user should have the role Storage Blob Data Contributor to read, write, and delete blobs on Azure Storage.
    Permissions required for AWS user to get the access of read/write/delete object on AWS Storage A policy should be created which gives list, read, write, and delete access for the object in AWS S3 Storage.
    Assign and verify if you have the required roles for ServiceNow AI Platform and Data Loss Administration roles. The following roles are required for configuration and verification of the expected results:
    • The admin role installs the integration from the ServiceNow Store and assigns the sn_dlir.admin role.
    • The sn_dlir.admin role performs the following tasks:
      • Configures the integration.
      • Sets up the incident profiles.
    Verify that the ServiceNow core applications required to support the Microsoft DLP IR integration are installed and activated before you configure this integration. Verify that the following DLP IR applications and security support common applications are installed and activated from the ServiceNow Store. If not installed, then install and activate on the application.
    • Security Support Common
    • Data Loss Prevention Incident Response
    Table 2. Required API Permissions/Roles on a Microsoft Azure applicationYou need the following API Permissions/Roles on a Microsoft Azure application to configure it on ServiceNow Microsoft DLP integration.
    API Permission name Type Description Required for which ServiceNow functionality? Is Admin consent required?
    Office 365 Management API ActivityFeed.ReadDlp Application Read DLP policy events including detected sensitive data. To ingest the DLP events from MSFT Purview to ServiceNow.
    Note:
    This permission is a must to get the MSFT data into ServiceNow.
    		 Yes
    Microsoft Graph API Files.Read.All Application Read files in all site collections that you can access. Download File: To download the attachment on the ServiceNow instance that caused the DLP event from OneDrive or SharePoint
    Note:
    This is optional. You can skip this API permission if you don't want to allow the analysts to download the attachment that caused the DLP event.
    		 Yes
    Mail.Read Application Read mail in all mailboxes. Download File: To download the email content (body and attachment) on the ServiceNow instance that caused the DLP event from Exchange.
    Note:
    This is optional. You can skip this API permission if you don't want to allow the analysts to download the email content (body, attachment) that caused the DLP event.
    		 Yes
    User.Read Delegated Sign in and read user profile. This is the default permission that will be available for all new applications. No

    Detected Sensitive Information (Optional)

    The match content is stored externally in Azure Blob Storage or Amazon S3 bucket and will be pulled from external storage when the user views an incident.

    Any one of the following permissions are required if the users would like to view Match Content/Detected Sensitive Information in DLP Core application:
    1. If you are a Microsoft Azure user, you must have the role Storage Blob Data Contributor to read, write, and delete blobs on Azure Storage.
    2. If you are an Amazon S3 user, you must create a policy which gives list, read, write, and delete access for the object in Amazon S3 Storage.