Enterprise Recon 2.8.0

Data Classification with MIP

PRO This feature is only available in Enterprise Recon PRO Edition. To find out more about upgrading your ER2 license, please contact Ground Labs Licensing. See Subscription License for more information.


This section covers the following:

Overview

Enterprise Recon seamlessly integrates with Microsoft Information Protection (MIP), enabling you to leverage the sensitive data discovery capabilities in ER2 to better classify, label, and protect sensitive data across your organization.

Once MIP integration is configured, you can view the sensitivity labels for match locations in the Investigate page. The filtering feature lets you easily select match locations with specific classification labels, and take the appropriate remediation or access control action to secure the data.

Sensitivity labels defined by your organization can be applied to supported match locations from the Enterprise Recon web interface and API. This metadata can be propagated to external services, such as data loss prevention (DLP) solutions, to implement additional controls to complete your organization's information protection strategy.

See How Data Classification with MIP Works, Requirements and Supported File Types for more information.

How Data Classification with MIP Works

Enterprise Recon Classification with MIP workflow.

To integrate Enterprise Recon Data Classification with MIP, you must first perform the required configuration in Microsoft 365, and Set Up MIP Credentials from Settings > Analysis > Classification in ER2. When the Retrieve button is clicked, the selected Windows Agent verifies the credentials by attempting to retrieve the MIP labels published to the provided Microsoft 365 user. The MIP credentials are only stored if the MIP labels are retrieved successfully.

Upon successful configuration of MIP credentials in ER2, MIP label information will be returned in subsequent scans for supported Target locations. ER2 users can then navigate to the Investigate page to view, apply, modify, or remove the MIP classification for match locations.

ER2 periodically retrieves the MIP sensitivity labels every eight hours to always maintain up-to-date information in the datastore. You can trigger a manual refresh of the MIP sensitivity label list by going to Settings > Analysis > Classification and clicking on the Retrieve button. The latest classification information will automatically be reflected for match locations in the Investigate page.

Requirements

Requirements Description
License Enterprise Recon PRO license.
Master Server Version 2.5.0 and above.
Node Agents 64-/32-bit Windows Agents, version 2.5.0 and above.
MIP Runtime Package 64-/32-bit MIP runtime package (e.g. er2_2.x.x-windows-xxx_mip-runtime.msi). Select a MIP runtime installer with the same computing architecture (64-/32-bit) as the installed Windows Agent. For example, if you have installed a 64-bit Windows Agent, select and install the 64-bit MIP runtime installer.

See Install the MIP Runtime Package for more information.

Scan Modes Data Classification with MIP is supported for match locations that were scanned as:
Operating Systems Data Classification with MIP is supported on all 64-/32-bit Windows versions currently supported by Microsoft.
File Types See Supported File Types for more information.
User Permissions

Manage MIP Credentials

  • Global Admin and Classification Admin users have permissions to set up and modify the MIP credentials in the Settings > Analysis > Classification page. See Global Permissions for more information.

Classify Sensitive Data

  • Global Admin users can manually assign classification labels to all Targets and locations from the Investigate page.
  • Classification Admin users can manually assign classification labels to all Targets and locations for which they have permissions to in the Investigate page.
  • All users can manually assign classification labels to Targets and locations for which they are granted Classification Resource Permissions.

View MIP Classification Labels

Supported File Types

Enterprise Recon MIP integration supports the following file types:

Classification Action File Types
Apply classification labels (without encryption)
Apply classification labels (with encryption) that require file protection

See Microsoft 365 - Learn about sensitivity labels for more information.

Install the MIP Runtime Package

  1. Log in to the ER2 Web Console.
  2. Go to Settings > Agents > Node Agent Downloads.
  3. On the Node Agent Downloads page, download the appropriate Windows MIP runtime package (e.g. er2_2.x.x-windows-xxx_mip-runtime.msi). Select a MIP runtime package installer with the same computing architecture (64-/32-bit) as the installed Windows Agent.
  4. (Optional) Verify the checksum of the downloaded Node Agent package file.
  5. Run the downloaded installer on the same host as the installed Windows Agent and click Next >.
  6. In the Choose Setup Type dialog, select Install.
  7. In the Ready to Install dialog, select Install.
  8. Click Finish to complete the installation.

See MIP Runtime Package Upgrade for more information.

Configuring Data Classification with MIP

To integrate MIP Classification in ER2, you must:

  1. Have a valid Office 365 subscription.
  2. Generate a Client ID.
  3. Generate a Client Secret Key.
  4. Set Up MIP Credentials.

Generate a Client ID

  1. With your administrator account, log in to the Azure app registration portal.
  2. In the App registrations page, click on + New registration.
  3. In the Register an application page, fill in the following fields:

    Field Description
    Name Enter a descriptive display name for ER2. For example, Enterprise Recon.
    Supported account types Select Accounts in this organizational directory only.
  4. Click Register. A dialog box appears, displaying the overview for the newly registered app, "Enterprise Recon".
  5. Take down the values for the Application (client) ID. This will be required to Set Up MIP Credentials.
  6. In the Manage panel, click API permissions.
  7. In the Configured permissions section, click + Add a permission.
  8. In the Request API permissions page, search and select the following permissions for the "Enterprise Recon: app:

    API Permission Notes
    Microsoft APIs > Azure Rights Management Services > Delegated Permissions Check the user_impersonation permission.
    APIs my organization uses > Microsoft Information Protection Sync Service > Delegated Permissions Check the UnifiedPolicy.User.Read permission.
  9. Click Add permissions.
  10. In the Configured permissions page, click on Grant admin consent for <organization name>.
  11. In the Permissions requested Accept for your organization window, click Accept. The Status column for all the newly added API permissions will be updated to "Granted for <organization name>".

Generate a Client Secret Key

  1. With your administrator account, log in to the Azure app registration portal.
  2. In the App registrations page, go to the Owner applications tab. Click on the app that you registered when generating a Client ID. For example, "Enterprise Recon".
  3. In the Manage panel, click Certificates & secrets.
  4. In the Client secrets section, click + New client secret.
  5. In the Add a client secret page, fill in the following fields:

    Field Description
    Description Enter a descriptive label for the Client Secret key.
    Expires Select a validity period for the Client Secret key.
  6. Click Add. The Value column will contain the Client Secret key.
    Newly created Client Secret key for the Enterprise Recon app.
  7. Copy and save the Client Secret key to a secure location. This will be required when you Set Up MIP Credentials.

Set Up MIP Credentials

Users with Global Admin and Classification Admin global permissions can set up the MIP credentials in the Settings > Analysis > Classification page.

To set up MIP credentials:

  1. Log in to the ER2 Web Console.

  2. Go to Settings > Analysis > Classification.

  3. Set the toggle button to On.

  4. In the Microsoft Information Protection (MIP) section, fill in the following fields:

    Field Description
    Login ID

    Enter the Microsoft 365 user account that will be used for classification. For example, enterprise-recon-user@example.onmicrosoft.com.

    Sensitivity labels that can be retrieved by ER2 depends on the labels that are available in label policies published to the specified user.

    The Data Classification with MIP feature in ER2 does not support user accounts with two-factor authentication (2FA) enabled. You are recommended to use a Microsoft service account that does not require 2FA to be enabled when setting up the MIP credentials.
    App ID Enter the Application (client) ID value obtained when generating a Client ID. For example, myAppId-example-enterpriserecon-1234.
    App Secret Enter the Client Secret key value obtained when generating a Client Secret Key. For example, myAppSecretKey-enterpriserecon-123.
    Password Enter the password of the user specified in the Login ID field.
    Agent Select a Windows Agent with direct internet access. The selected Windows Agent will be used to retrieve classification labels that are published to the user specified in the Login ID field.
  5. Click Retrieve to verify the MIP credentials and retrieve the sensitivity labels published to the user specified in the Login ID field. MIP credentials are saved (and overwritten) upon successful authentication.

Update MIP Credentials

Users with Global Admin and Classification Admin global permissions can modify the MIP credentials configured in ER2.

To modify the MIP credentials:

  1. Log in to the ER2 Web Console.

  2. Go to Settings > Analysis > Classification.

  3. In the Microsoft Information Protection (MIP) section, edit the following fields:

    Field Description
    Login ID

    Enter the Microsoft 365 user account that will be used for classification. For example, enterprise-recon-user@example.onmicrosoft.com.

    Sensitivity labels that can be retrieved by ER2 depends on the labels that are available in label policies published to the specified user.

    The Data Classification with MIP feature in ER2 does not support user accounts with two-factor authentication (2FA) enabled. You are recommended to use a Microsoft service account that does not require 2FA to be enabled when setting up the MIP credentials.
    App ID Enter the Application (client) ID value obtained when generating a Client ID. For example, myAppId-example-enterpriserecon-1234.
    App Secret Enter the Client Secret key value obtained when generating a Client Secret Key. For example, myAppSecretKey-enterpriserecon-123.
    Password Enter the password of the user specified in the Login ID field.
    Agent Select a Windows Agent with direct internet access. The selected Windows Agent will be used to retrieve classification labels that are published to the user specified in the Login ID field.
  4. Click Retrieve to verify the updated MIP credentials and retrieve the sensitivity labels published to the user specified in the Login ID field. MIP credentials are saved (and overwritten) upon successful authentication.

Disable Data Classification with MIP

To disable Data Classification integration with MIP:

  1. Go to Settings > Analysis > Classification.
  2. Set the toggle button to Off.

View Classification Status

In the Investigate results grid, the MIP Classification status for a supported match location is reflected in the following columns:

Column Description Examples
MIP Label

Displays the latest MIP sensitivity label applied to the location. If the MIP sensitivity label for a location is applied or modified using ER2, a notification icon Enterprise Recon apply or modify MIP Classification label icon will be displayed in this column.

If the last-known MIP sensitivity label for a location no longer corresponds to an active or valid label, the MIP Label column displays the label ID.
Confidential, Public
Classification Type If the location has any MIP sensitivity label applied, this column indicates if the label was
  • manually applied in ER2 (Classified), or
  • applied outside of ER2 (Discovered).
Classified, Discovered
Status Displays the status of the most recent Remediation, Access Control, or Classification action performed on the location. Pending label modification, MIP label modified

Apply or Remove Classification

You can manually apply or remove the sensitivity classification of a supported match location in ER2.

The Classify button will be disabled if:
  • Data Classification integration with MIP is disabled, or
  • Unsupported Target locations are selected, or
  • The user does not have permissions to perform classification actions on one or more selected match locations.

To manually apply or modify the MIP sensitivity label associated with a match location:

  1. Go to the Investigate page.
  2. Select the match location(s) that you want to apply or modify the MIP classification labels for.

  3. Click the Classify button to bring up the Classify locations with a Sensitivity Label (MIP) dialog box.
  4. Select a sensitivity label from the dropdown menu to be applied to or modified for the match location(s).
  5. Enter a name in the Please sign-off to confirm label modification field.
  6. Enter a reason in the Reason field.
  7. Click Ok to classify the match location(s) with the selected MIP sensitivity label. Otherwise click Cancel to cancel the data classification operation.

To manually remove the MIP sensitivity label associated with a match location:

  1. Go to the Investigate page.
  2. Select the match location(s) that you want to apply or modify the MIP classification labels for.
  3. Click the Classify button to bring up the Classify locations with a Sensitivity Label (MIP) dialog box.
  4. Select Remove sensitivity label from the dropdown menu.
  5. Enter a name in the Please sign-off to confirm label modification field.
  6. Enter a reason in the Reason field.
  7. Click Ok to remove the classification for the match location(s). Otherwise click Cancel to cancel the data classification operation.

MIP Runtime Package Upgrade

Upgrade the ER2 Master Server and MIP Runtime Package to the corresponding version to use the features below.

Please see Install the MIP Runtime Package for details on upgrading the MIP Runtime Package.

Feature Agent Platform Agent Version
Feature: PRO The Data Classification with MIP feature has been updated to the latest version of Microsoft Information Protection SDK. Windows 2.7
Fix: PRO "File Created" metadata information would be incorrectly updated when applying MIP classification labels to supported file types via the Enterprise Recon web UI and API. Windows 2.7
Feature: PRO The Data Classification with MIP feature has been enhanced to (i) display clearer messaging when applying classification labels with encryption that require file protection, and (ii) support backward compatibility with earlier Agent versions. This enhancement also requires an Agent Upgrade. Windows 2.4