Enterprise Recon 2.10.0
Data Classification with MIP
PRO This feature is only available in Enterprise Recon PRO Edition. To find out more about upgrading your ER2 license, please contact Ground Labs Licensing. See Subscription License for more information.
This section covers the following:
- Overview
- How Data Classification with MIP Works
- Requirements
- Supported File Types
- Install the MIP Runtime Package
- Configuring Data Classification with MIP
- Disable Data Classification with MIP
- View Classification Status
- Apply or Remove Classification
Overview
Enterprise Recon seamlessly integrates with Microsoft Information Protection (MIP), enabling you to leverage the sensitive data discovery capabilities in ER2 to better classify, label, and protect sensitive data across your organization.
Once MIP integration is configured, you can view the sensitivity labels for match locations in the Investigate page. The filtering feature lets you easily select match locations with specific classification labels, and take the appropriate remediation or access control action to secure the data.
Sensitivity labels defined by your organization can be applied to supported match locations from the Enterprise Recon web interface and API. This metadata can be propagated to external services, such as data loss prevention (DLP) solutions, to implement additional controls to complete your organization's information protection strategy.
See How Data Classification with MIP Works, Requirements and Supported File Types for more information.
How Data Classification with MIP Works
To integrate Enterprise Recon Data Classification with MIP, you must first perform the required configuration in Microsoft 365, and Set Up MIP Credentials from Settings > Analysis > Classification in ER2. When the Retrieve button is clicked, the selected Windows Agent verifies the credentials by attempting to retrieve the MIP labels published to the provided Microsoft 365 user. The MIP credentials are only stored if the MIP labels are retrieved successfully.
Upon successful configuration of MIP credentials in ER2, MIP label information will be returned in subsequent scans for supported Target locations. ER2 users can then navigate to the Investigate page to view, apply, modify, or remove the MIP classification for match locations.
ER2 periodically retrieves the MIP sensitivity labels every eight hours to always maintain up-to-date information in the datastore. You can trigger a manual refresh of the MIP sensitivity label list by going to Settings > Analysis > Classification and clicking on the Retrieve button. The latest classification information will automatically be reflected for match locations in the Investigate page.
Requirements
Requirements | Description |
---|---|
License | Enterprise Recon PRO license. |
Master Server | Version 2.5.0 and above. |
Node Agents | 64-/32-bit Windows Agents, version 2.5.0 and above. |
MIP Runtime Package | 64-/32-bit MIP runtime package (e.g. er2_2.x.x-windows-xxx_mip-runtime.msi). Select a MIP runtime
installer with the same computing architecture (64-/32-bit) as the installed
Windows Agent. For example, if you have installed a 64-bit Windows Agent,
select and install the 64-bit MIP runtime installer.
See Install the MIP Runtime Package for more information. |
Scan Modes | Data Classification with MIP is supported for match locations that were scanned as:
|
Operating Systems | Data Classification with MIP is supported on all 64-/32-bit Windows versions currently supported by Microsoft. |
File Types | See Supported File Types for more information. |
User Permissions | Manage MIP Credentials
Classify Sensitive Data
View MIP Classification Labels
|
Supported File Types
Enterprise Recon MIP integration supports the following file types:
Classification Action | File Types |
---|---|
Apply classification labels (without encryption) |
|
Apply classification labels (with encryption) that require file protection |
|
See Microsoft 365 - Learn about sensitivity labels for more information.
Install the MIP Runtime Package
- Log in to the ER2 Web Console.
- Go to Settings > Agents > Node Agent Downloads.
- On the Node Agent Downloads page, download the appropriate Windows MIP runtime package (e.g. er2_2.x.x-windows-xxx_mip-runtime.msi). Select a MIP runtime package installer with the same computing architecture (64-/32-bit) as the installed Windows Agent.
- (Optional) Verify the checksum of the downloaded Node Agent package file.
- Run the downloaded installer on the same host as the installed Windows Agent and click Next >.
- In the Choose Setup Type dialog, select Install.
- In the Ready to Install dialog, select Install.
- Click Finish to complete the installation.
See MIP Runtime Package Upgrade for more information.
Configuring Data Classification with MIP
To integrate MIP Classification in ER2, you must:
- Have a valid Office 365 subscription.
- Generate a Client ID.
- Generate a Client Secret Key.
- Set Up MIP Credentials.
Generate a Client ID
- With your administrator account, log in to the Azure app registration portal.
- In the App registrations page, click on + New registration.
-
In the Register an application page, fill in the following fields:
Field Description Name Enter a descriptive display name for ER2. For example, Enterprise Recon. Supported account types Select Accounts in this organizational directory only. - Click Register. A dialog box appears, displaying the overview for the newly registered app, "Enterprise Recon".
- Take down the values for the Application (client) ID. This will be required to Set Up MIP Credentials.
- In the Manage panel, click API permissions.
- In the Configured permissions section, click + Add a permission.
-
In the Request API permissions page, search and select the following permissions for the "Enterprise Recon: app:
API Permission Notes Microsoft APIs > Azure Rights Management Services > Delegated Permissions Check the user_impersonation permission. APIs my organization uses > Microsoft Information Protection Sync Service > Delegated Permissions Check the UnifiedPolicy.User.Read permission. - Click Add permissions.
- In the Configured permissions page, click on Grant admin consent for <organization name>.
- In the Permissions requested Accept for your organization window, click Accept. The Status column for all the newly added API permissions will be updated to "Granted for <organization name>".
Generate a Client Secret Key
- With your administrator account, log in to the Azure app registration portal.
- In the App registrations page, go to the Owner applications tab. Click on the app that you registered when generating a Client ID. For example, "Enterprise Recon".
- In the Manage panel, click Certificates & secrets.
- In the Client secrets section, click + New client secret.
-
In the Add a client secret page, fill in the following fields:
Field Description Description Enter a descriptive label for the Client Secret key. Expires Select a validity period for the Client Secret key. - Click Add. The Value column will contain the Client Secret key.
-
Copy and save the Client Secret key to a secure location. This will be required when you Set Up MIP Credentials.
Save your Client Secret key in a secure location. You cannot access this Client Secret key once you navigate away from the page.
Set Up MIP Credentials
Users with Global Admin and Classification Admin global permissions can set up the MIP credentials in the Settings > Analysis > Classification page.
To set up MIP credentials:
-
Log in to the ER2 Web Console.
-
Go to Settings > Analysis > Classification.
-
Set the toggle button to On.
-
In the Microsoft Information Protection (MIP) section, fill in the following fields:
Field Description Login ID Enter the Microsoft 365 user account that will be used for classification. For example, enterprise-recon-user@example.onmicrosoft.com.
Sensitivity labels that can be retrieved by ER2 depends on the labels that are available in label policies published to the specified user.
The Data Classification with MIP feature in ER2 does not support user accounts with two-factor authentication (2FA) enabled. You are recommended to use a Microsoft service account that does not require 2FA to be enabled when setting up the MIP credentials.App ID Enter the Application (client) ID value obtained when generating a Client ID. For example, myAppId-example-enterpriserecon-1234. App Secret Enter the Client Secret key value obtained when generating a Client Secret Key. For example, myAppSecretKey-enterpriserecon-123. Password Enter the password of the user specified in the Login ID field. Agent Select a Windows Agent with direct internet access. The selected Windows Agent will be used to retrieve classification labels that are published to the user specified in the Login ID field. -
Click Retrieve to verify the MIP credentials and retrieve the sensitivity labels published to the user specified in the Login ID field. MIP credentials are saved (and overwritten) upon successful authentication.
The Retrieve button will only be enabled when there is at least one suitable Windows Agent that is available and connected to the Master Server.
Update MIP Credentials
Users with Global Admin and Classification Admin global permissions can modify the MIP credentials configured in ER2.
To modify the MIP credentials:
-
Log in to the ER2 Web Console.
-
Go to Settings > Analysis > Classification.
-
In the Microsoft Information Protection (MIP) section, edit the following fields:
Field Description Login ID Enter the Microsoft 365 user account that will be used for classification. For example, enterprise-recon-user@example.onmicrosoft.com.
Sensitivity labels that can be retrieved by ER2 depends on the labels that are available in label policies published to the specified user.
The Data Classification with MIP feature in ER2 does not support user accounts with two-factor authentication (2FA) enabled. You are recommended to use a Microsoft service account that does not require 2FA to be enabled when setting up the MIP credentials.App ID Enter the Application (client) ID value obtained when generating a Client ID. For example, myAppId-example-enterpriserecon-1234. App Secret Enter the Client Secret key value obtained when generating a Client Secret Key. For example, myAppSecretKey-enterpriserecon-123. Password Enter the password of the user specified in the Login ID field. Agent Select a Windows Agent with direct internet access. The selected Windows Agent will be used to retrieve classification labels that are published to the user specified in the Login ID field. -
Click Retrieve to verify the updated MIP credentials and retrieve the sensitivity labels published to the user specified in the Login ID field. MIP credentials are saved (and overwritten) upon successful authentication.
The Retrieve button will only be enabled when there is at least one suitable Windows Agent that is available and connected to the Master Server.
Disable Data Classification with MIP
To disable Data Classification integration with MIP:
- Go to Settings > Analysis > Classification.
- Set the toggle button to Off.
View Classification Status
In the Investigate results grid, the MIP Classification status for a supported match location is reflected in the following columns:
Column | Description | Examples |
---|---|---|
MIP Label | Displays the latest MIP sensitivity label applied to the location. If the MIP sensitivity label for a location is applied or modified using ER2, a notification icon will be displayed in this column. If the last-known MIP sensitivity label for a location no longer
corresponds to an active or valid label, the MIP Label column displays the label ID. |
Confidential, Public |
Classification Type | If the location has any MIP sensitivity label applied, this column indicates if the label
was
|
Classified, Discovered |
Status | Displays the status of the most recent Remediation, Access Control, or Classification action performed on the location. | Pending label modification, MIP label modified |
Apply or Remove Classification
You can manually apply or remove the sensitivity classification of a supported match location in ER2.
- Data Classification integration with MIP is disabled, or
- Unsupported Target locations are selected, or
- The user does not have permissions to perform classification actions on one or more selected match locations.
To manually apply or modify the MIP sensitivity label associated with a match location:
- Go to the Investigate page.
-
Select the match location(s) that you want to apply or modify the MIP classification labels for.
A file that is applied with a classification label with protection settings (encryption) can only be decrypted by users that are authorized by the label's encryption settings. - Click the Classify button to bring up the Classify locations with a Sensitivity Label (MIP) dialog box.
- Select a sensitivity label from the dropdown menu to be applied to or modified for the match location(s).
- Enter a name in the Please sign-off to confirm label modification field.
- Enter a reason in the Reason field.
- Click Ok to classify the match location(s) with the selected MIP sensitivity label. Otherwise click Cancel to cancel the data classification operation.
To manually remove the MIP sensitivity label associated with a match location:
- Go to the Investigate page.
- Select the match location(s) that you want to apply or modify the MIP classification labels for.
- Click the Classify button to bring up the Classify locations with a Sensitivity Label (MIP) dialog box.
- Select Remove sensitivity label from the dropdown menu.
- Enter a name in the Please sign-off to confirm label modification field.
- Enter a reason in the Reason field.
- Click Ok to remove the classification for the match location(s). Otherwise click Cancel to cancel the data classification operation.
MIP Runtime Package Upgrade
Upgrade the ER2 Master Server and MIP Runtime Package to the corresponding version to use the features below.
Please see Install the MIP Runtime Package for details on upgrading the MIP Runtime Package.
Feature | Agent Platform | Agent Version |
---|---|---|
Feature: PRO The Data Classification with MIP feature has been updated to the latest version of Microsoft Information Protection SDK. | Windows | 2.7 |
Fix: PRO "File Created" metadata information would be incorrectly updated when applying MIP classification labels to supported file types via the Enterprise Recon web UI and API. | Windows | 2.7 |
Feature: PRO The Data Classification with MIP feature has been enhanced to (i) display clearer messaging when applying classification labels with encryption that require file protection, and (ii) support backward compatibility with earlier Agent versions. This enhancement also requires an Agent Upgrade. | Windows | 2.4 |