Microsoft Purview part 6: This is part 6 of several parts that deal with Microsoft Purview and which tools are available there.
Audit in Microsoft Purview
Welcome to part 6 of the blog series about Microsoft Purview!๐ In this part we will dive into the Audit solution located in the Purview portal.
What is Audit in Microsoft Purview?
Auditing in Microsoft Purview is a feature that allows organizations to track and log activities performed by users and administrators in various Microsoft services. This includes actions such as logins, file access, changes to settings, and much more.
The Audit module in Microsoft Purview can be used for several purposes:
Technical Investigationsย : Helps investigate security incidents by providing detailed insight into user and admin activities.
Regulatory Complianceย : Ensures that the organization complies with legal and regulatory requirements by preserving audit logs.
Internal Auditย : Provides internal auditors with the ability to monitor and evaluate internal controls and processes.
What functions does the Audit module cover?
Audit Log Searchย : Ability to search for specific activities performed by users or administrators.
Custom retention policiesย : Creation of custom policies for retaining audit logs based on the service where the activities occur, specific activities, or the user performing the activity.
Smart Insightsย : Provides advanced analysis and insights based on the audit data.
Long-term retentionย : Option to keep audit logs for up to 10 years with an additional license.
Examples of use
Audit search and Audit policies can, like most other things in Microsoft, be set up and managed both from the GUI and Powershell directly, below are some examples of the use and setup of policies.
Audit Policy
GUI
Powershell
New-UnifiedAuditLogRetentionPolicy -Priority "2" -Name "TheUsualSuspectsAgain" -Description "Policy for special users" -UserIds " Bjornar.Aassveen@innivarmen.onmicrosoft.comย " -RecordTypes "ExchangeItem, SharePoint" -RetentionDuration "FiveYears"
This snippet creates a policy that keeps Audit records for Exchange and SharePoint for the user for 5 years in the same way as the GUI setup shown above. NB! UnifiedAuditLog is part of the ExchangeOnline PS module, but you must connect to IPPSSession, which is part of Security & Compliance.
Audit search
Audit search is a powerful search engine across all Audit logs in Microsoft 365. Here you can refine searches based on application, sites, workloads, users etc.
The example below shows a broad search for user, here you can e.g. see all "log in" activities across.
Bjรธrnar & AI
Comments