{"id":12951,"date":"2024-01-08T15:12:52","date_gmt":"2024-01-08T23:12:52","guid":{"rendered":"https:\/\/www.microsoft.com\/insidetrack\/blog\/?p=12951"},"modified":"2024-01-10T09:42:35","modified_gmt":"2024-01-10T17:42:35","slug":"protecting-against-oversharing-power-bi-reports-with-microsoft-sentinel","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/insidetrack\/blog\/protecting-against-oversharing-power-bi-reports-with-microsoft-sentinel\/","title":{"rendered":"Protecting against oversharing Power BI reports with Microsoft Sentinel"},"content":{"rendered":"

\"MicrosoftMicrosoft Power BI is an essential tool for monitoring performance, identifying trends, and developing stunning data visualizations that many teams across Microsoft use every day. A well-built Power BI report can play a critical role in helping communicate business information efficiently and effectively. But with great Power BI reports comes great responsibility, which includes keeping data and reports secure, and ensuring that only the right people have access to it.<\/p>\n

Across Microsoft, we use Microsoft Purview Data Loss Prevention (DLP)<\/a>, which is now in general availability<\/a>, to help secure our data. Purview DLP policies allow administrators to comply with governmental and industry regulations such as the European Union General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), and automatically detect sensitive information to prevent data leaks. These policies can now also uncover data that might have accidentally been uploaded to Power BI without your knowledge.<\/p>\n

While Purview\u2019s controls ensure sensitive data is handled appropriately, we learned from customer research that sensitive data can be accidentally overshared with unauthorized individuals when large audience groups are inadvertently granted access to the report. This often happens when report owners grant access to Power BI reports without first checking who is authorized to view them\u2014both inside and outside data boundaries.<\/p>\n

We wanted to find a solution that would prevent this kind of unintentional oversharing and make it easy for Power BI administrations to set up, use, and configure.<\/p>\n

\u2014 Prathiba Enjeti, senior program manager, Microsoft Digital Security and Resilience team<\/p>\n<\/blockquote>\n

To address this problem, Microsoft Digital Security and Resilience collaborated with the Microsoft Sentinel product group to develop an out-of-the-box Microsoft Sentinel solution for Power BI reports to detect and respond to oversharing. Using the Power BI connector for Microsoft Sentinel, which is now available in preview<\/a>,<\/u> you can track user activity in your Power BI environment with Microsoft Sentinel using Power BI audit logs. This solution helps administrators to identify potential data leaks with automatically generated reports.<\/p>\n

How it works<\/h2>\n

With Microsoft Sentinel playbook automation for Power BI detection, the SOC can achieve higher productivity and efficiency, saving analysts\u2019 time and energy for investigative tasks.<\/p>\n

\u2014 Prathiba Enjeti, senior program manager, Microsoft Digital Security and Resilience team<\/p>\n<\/blockquote>\n

\"Enjeti
Prathiba Enjeti is a senior security program manager on the Microsoft Security Standards and Configuration team.<\/figcaption><\/figure>\n

Our oversharing detection logic uses Power BI audit logs, which are cross-referenced against Microsoft Sentinel-generated watchlists that track high-risk security groups. When a report is shared with a group that exceeds a specified number of users, the detection is triggered. Thresholds can be adjusted by administrators to suit any organization\u2019s needs and policies.<\/p>\n

Additionally, we used the Microsoft Sentinel playbook<\/a> to automate the remediation process. We configured it to automatically send email notifications containing remediation instructions to report owners. From our discussions with customers, we learned that some organizations preferred that accountability remain with the Power BI report owners for various periods of time to remediate, before escalating to the tenant administrators. To meet customer needs for flexibility, administrators can configure time spans ranging from instantaneous escalation, to hours, days, and weeks.<\/p>\n

\u201cWith Microsoft Sentinel playbook automation for Power BI detection, the SOC can achieve higher productivity and efficiency, saving analysts\u2019 time and energy for investigative tasks,\u201d Enjeti says.<\/p>\n

Automating how cases of data oversharing are found and fixed will allow IT administrators to detect, notify, and limit access to Power BI reports in real time. We\u2019re excited to bring this Microsoft Sentinel solution to our customers, which will be available for public release soon.<\/p>\n

\"Key<\/h2>\n

Here are some suggestions for tackling oversharing at your company:<\/p>\n