Getting started with Microsoft DLP IR integration for data loss prevention

Review the following information before you start setting up your Microsoft DLP IR integration for data loss prevention.

Table 1. Checklist
Setup taskDescription

Get the Microsoft Purview credentials to fetch the event data and AWS/Azure Storage account credentials to store the match content

Register an application with the Microsoft identity platform

 Register an application on the Microsoft Azure platform from here to get the Client ID, Client Secret, and Tenant ID. For information on the Roles required for creating an application, see Prerequisites.

For information on the API Permissions/Roles required on a Microsoft Azure application to configure it on ServiceNow Microsoft DLP integration, refer to the following table.
Permissions required for Azure user to get the access of read/write/delete blob on Azure Storage The Azure user should have the role Storage Blob Data Contributor to read, write, and delete blobs on Azure Storage.
Permissions required for AWS user to get the access of read/write/delete object on AWS Storage A policy should be created which gives list, read, write, and delete access for the object in AWS S3 Storage.
Assign and verify if you have the required roles for ServiceNow AI Platform and Data Loss Administration roles. The following roles are required for configuration and verification of the expected results:
  • The admin role installs the integration from the ServiceNow Store and assigns the sn_dlir.admin role.
  • The sn_dlir.admin role performs the following tasks:
    • Configures the integration.
    • Sets up the incident profiles.
Verify that the ServiceNow core applications required to support the Microsoft DLP IR integration are installed and activated before you configure this integration. Verify that the following DLP IR applications and security support common applications are installed and activated from the ServiceNow Store. If not installed, then install and activate on the application.
  • Security Support Common
  • Data Loss Prevention Incident Response
Table 2. Required API Permissions/Roles on a Microsoft Azure applicationYou need the following API Permissions/Roles on a Microsoft Azure application to configure it on ServiceNow Microsoft DLP integration.
API Permission name Type Description Required for which ServiceNow functionality? Is Admin consent required?
Office 365 Management API ActivityFeed.ReadDlp Application Read DLP policy events including detected sensitive data. To ingest the DLP events from MSFT Purview to ServiceNow.
Note: This permission is a must to get the MSFT data into ServiceNow.
 Yes
Microsoft Graph API Files.Read.All Application Read files in all site collections that you can access. Download File: To download the attachment on the ServiceNow instance that caused the DLP event from OneDrive or SharePoint
Note: This is optional. You can skip this API permission if you don't want to allow the analysts to download the attachment that caused the DLP event.
 Yes
Mail.Read Application Read mail in all mailboxes. Download File: To download the email content (body and attachment) on the ServiceNow instance that caused the DLP event from Exchange.
Note: This is optional. You can skip this API permission if you don't want to allow the analysts to download the email content (body, attachment) that caused the DLP event.
 Yes
User.Read Delegated Sign in and read user profile. This is the default permission that will be available for all new applications. No

Detected Sensitive Information (Optional)

The match content is stored externally in Azure Blob Storage or Amazon S3 bucket and will be pulled from external storage when the user views an incident.

Any one of the following permissions are required if the users would like to view Match Content/Detected Sensitive Information in DLP Core application:
  1. If you are a Microsoft Azure user, you must have the role Storage Blob Data Contributor to read, write, and delete blobs on Azure Storage.
  2. If you are an Amazon S3 user, you must create a policy which gives list, read, write, and delete access for the object in Amazon S3 Storage.