Table of Contents
Choose between Audit (Standard) and Audit (Premium) based on an organization’s requirements
Standard vs. Premium Audit Features
Capability | Audit (Standard) | Audit (Premium) |
---|---|---|
Enabled by default | ||
Thousands of searchable audit events | ||
Audit search tool in the compliance portal | ||
Search-UnifiedAuditLog cmdlet | ||
Export audit records to CSV file | ||
Access to audit logs via Office 365 Management Activity API | ||
180-day audit log retention | ||
1-year audit log retention | ||
10-year audit log retention | ||
Audit log retention policies | ||
Intelligent insights |
Audit Features Comparison
Feature | Audit (Standard) | Audit (Premium) |
---|---|---|
Enabled by Default | Yes | Yes |
Searchable Audit Events | Thousands | Thousands |
Search Tools | Audit log search tool in Microsoft Purview compliance portal Search-UnifiedAuditLog cmdlet | Same as Standard, Plus: Ability to save searches |
Export Audit Records | Yes (CSV) | Yes (CSV) |
Access to Audit Logs | Office 365 Management Activity API | Same as Standard, Plus: Higher Bandwidth |
Audit Log Retention | 180 days | 1 year for Exchange OneDrive, SharePoint 180 days for others (configurable) |
Additional Insights | No | Intelligent insights for Exchange & SharePoint Online |
10-Year Retention | Not available | Requires add-on license |
Audit Log Retention Policies | Not available | Create custom policies for specific services, users, or activities |
Retention Priority | Not available | Define priority levels for custom policies |
Important Activity Properties | Access to basic properties | Access to additional properties requiring Premium license |
Note! The default retention period for Audit (Standard) changed from 90 days to 180 days on October 17, 2023.
Plan for and configure auditing
First check that you have Auditing enabled
Both Standard and Premium tiers allow you to search audit logs for user and admin actions across various services. Since Standard comes enabled by default for most organizations, minimal setup is required for you and your team to start investigating activities.
Audit Functionality Requires Two Licensing Components:
- Subscription Level: Your organization needs a Microsoft 365 subscription that includes access to the audit log search tool.
- Per-User Licensing: Individual users need licenses that enable audit record generation and retention. These licenses determine the specific activities logged and the length of record retention.
Audit Record Retention:
Both Audit (Standard) and Audit (Premium) retain audit records for 180 days by default. These records are searchable within the audit log during this period.
Search and Export Permissions:
Searching and exporting audit logs require specific permissions within the compliance portal. Assigning the View-Only Audit Logs or Audit Logs role to admins and investigators grants them these capabilities.
Default Role Assignments:
These roles are automatically assigned to pre-defined role groups:
- Audit Reader: Can search and view audit logs.
- Audit Manager: Can search, view, and export audit logs.
Customization Options:
- Exchange Admin Center: Permissions for enabling/disabling auditing and accessing audit cmdlets remain within the Exchange admin center. Use existing Audit Logs and View-Only Audit Logs roles for this purpose.
- Custom Role Groups: Create custom role groups with the desired level of access (search or search & export) by adding View-Only Audit Logs or Audit Logs roles.
Search and Export Permissions:
To search or export audit logs in the compliance portal, administrators and investigators need to be assigned one of the following audit-related roles:
- Audit Manager: Can do everything related to audit logs (search, export, manage settings).
- Audit Reader: Can only search and export existing audit logs.
See more on Learn how to configure Premium.
Investigate activities by using the unified audit log
What services are supported?
New Audit Search offers enhanced search capabilities
- Background Searches: Run searches without keeping your browser open. Jobs continue running even if you close the window.
- Search History: Access completed searches for 30 days, allowing you to review past investigations.
- Improved Efficiency: Each admin can run up to 10 concurrent searches, with one dedicated to unfiltered searches for broader investigations.
Copilot Audit
Microsoft 365 automatically tracks how users interact with Copilot to ensure transparency and accountability. This log captures the following details:
- When and how users interacted with Copilot: This includes timestamps and specific actions taken, such as requesting suggestions or automating tasks.
- Where the interaction happened: Did it occur in Word, Excel, or another Microsoft 365 application?
- Accessed files and their security labels: The log records any files involved in Copilot interactions and any sensitivity labels attached to them (e.g., confidential).
If you want to see these Copilot events, head to the Microsoft Purview compliance portal and look for the “Audit” solution. Here’s how to find specific entries:
- Copilot Activities: This filter focuses solely on events related to Copilot interactions.
- Interacted with Copilot: This option narrows down the log to user actions involving Copilot.
- Copilot (Workload): This approach treats Copilot as a complete workload for a broader audit view.
See here for a full list of services and what you can see from the Unified Audit Log
And here for how to use Purview Audit Premium to investigate compromised accounts
Review and interpret compliance reports and dashboards
You can access the portal when you administrator, compliance administrator, or compliance data administrator.
Depending on your permissions and your Microsoft Purview subscription, you’ll see different solutions, home page cards, and features in the portal.
Compliance posture status provides a quick overview of your organization’s security posture using data from the Compliance Manager solution. Here’s what you’ll find:
- Compliance Progress Bars: These bars visually represent your progress towards meeting the requirements of various regulatory assessments.
- Top Assessment Breakdown: This section highlights the completion rates for your most critical assessments and the specific services covered by each assessment.
The Compliance Manager dashboard is your central hub for understanding your organization’s security posture. It provides a clear picture through a single metric: the overall compliance score.
What Does the Score Mean?
This score reflects your progress in implementing recommended actions to address potential security risks. A higher score indicates a stronger security posture.
Using the Score for Action
The score serves two key purposes:
- Understanding Your Security Status: It gives you a snapshot of your current security effectiveness.
- Prioritizing Improvements: The score helps you identify areas with the most significant impact on improving your overall security posture. Actions with a higher potential risk reduction will have a greater positive impact on your score.
How is the Score Calculated?
The overall score is built upon individual actions taken to address security concerns. Here’s a breakdown of the contributing factors:
- Improvement Actions: Each action has a weighted score based on the potential risk it addresses. More details on action types and scoring are available in the “Action types and scoring” section (link not provided).
- Assessments: These scores are derived from the improvement action scores. Each action, whether created by Microsoft or your organization, is counted only once within an assessment, regardless of how often it appears.
You can even the Compliance score breakdown cards in the page.
See here more on the new Unified Purview portal
Configure alert policies
You can use alert policies and the alert dashboard in the Microsoft Purview compliance portal or the Microsoft Defender portal to create alert policies and then view the alerts generated when users perform activities that match the conditions of an alert policy.
Open the old compliance portal https://compliance.microsoft.com/compliancepolicies and choose Policies, then Alerts policies
And it will open https://security.microsoft.com/alertpoliciesv2
Completely out of the scope but do you know what ZAP is? No, well let me explain. Exchange, yey!
One of my favorites is ZAP (Zero-Hour Auto purge) It is an detonation chamber for the message, it will initiate and Sandbox environment for testing and when analyzing is done the sandbox is removed completely. When the next message comes, the process will start all over again.
When the message it zapped it’s not logged in the Exchange mailbox audit logs as a system action.
Note! ZAP doesn’t work in standalone EOP environments that protect on-premises mailboxes. MX and Mailboxes have to be in the Cloud.
It’s included on Microsoft Defender for Office 365 P1 and P2
ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams which is currently in Preview!
Then back to Alert policies.
An alert policy acts like a detective in your Microsoft Purview system. It defines specific criteria to identify potentially risky user or admin activity. Here’s how it works:
- Rules and Conditions: This section details what triggers an alert. It can be specific user actions, admin activities, or a combination of both.
- Who Triggers the Alert: You can choose to target all users or define a specific group of users whose activities will trigger the alert.
- Threshold for Alerts: Not every single instance needs to raise an alarm. The policy sets a threshold, meaning the activity needs to occur a certain number of times within a period before an alert is triggered.
- Category and Severity: These act like filing labels for your alert policies. You can categorize them based on the type of activity (e.g., data access, suspicious logins) and assign a severity level (e.g., high risk, low risk). These labels help you organize and prioritize alerts when reviewing them within the Microsoft Purview compliance portal.
By setting these parameters, you create a targeted alert system, focusing on specific activities and users while avoiding information overload.
See more from Learn on those policies
Configure audit retention policies
This table summarizes the key settings involved in creating an audit log retention policy in Microsoft Purview:
Setting | Description | Required | Notes |
---|---|---|---|
Policy Name | A unique identifier for the policy within your organization. | Yes | |
Description | (Optional) Additional information about the policy, such as its purpose or scope. | No | |
Users | Select specific users to apply the policy to, or leave blank for all users. | No | |
Record Type | The type of audit record the policy applies to (e.g., mailbox activity, user sign-ins). | No (if Users selected) | Defaults to all record types if Users is left blank. |
Activities (Optional) | Filter specific activities within the chosen record type (only available for single record type selection). | No | Applies to all activities of the chosen record type if left blank. |
Duration | Retention period for audit logs matching the policy criteria (options: 7 days – 10 years). | Yes | Requires specific subscriptions for extended retention periods (see “Important” note below). |
Priority | Order of processing for the policy (lower value = higher priority). | No | Default policies have lower priority than custom policies. |
Important:
- Retaining audit logs for 7 and 30 days requires a Microsoft 365 Enterprise E5 subscription.
- Extended retention periods (3, 5, 7 years) require a 10-Year Audit Log Retention add-on license in addition to an E5 subscription.
Open https://purview.microsoft.com/audit/auditpolicies to create Audit retention policies
Closure
Standard vs. Premium Audit Features
Feature | Audit (Standard) | Audit (Premium) | Enabled by Default |
---|---|---|---|
Searchable Audit Events | Thousands | Thousands | Yes |
Search Tools | Audit log search tool in Microsoft Purview compliance portal Search-UnifiedAuditLog cmdlet | Same as Standard, Plus: Ability to save searches | Yes |
Export Audit Records | Yes (CSV) | Yes (CSV) | Yes |
Access to Audit Logs | Office 365 Management Activity API | Same as Standard, Plus: Higher Bandwidth | Yes |
Audit Log Retention | 180 days (Exchange, OneDrive, SharePoint) 180 days for others (configurable) | 1 year for Exchange, OneDrive, SharePoint 180 days for others (configurable) | Yes |
Additional Insights | No | Intelligent insights for Exchange & SharePoint Online | No |
10-Year Retention | Not available | Requires add-on license | No |
Audit Log Retention Policies | Not available | Create custom policies for specific services, users, or activities | No |
Retention Priority | Not available | Define priority levels for custom policies | No |
Important Activity Properties | Access to basic properties | Access to additional properties | Yes |
Note: The default retention period for Audit (Standard) changed from 90 days to 180 days on October 17, 2023.
Audit Functionality Requires Two Licensing Components:
- Subscription Level: Your organization needs a Microsoft 365 subscription that includes access to the audit log search tool.
- Per-User Licensing: Individual users need licenses that enable audit record generation and retention. These licenses determine the specific activities logged and the length of record retention.
Search and Export Permissions:
To search or export audit logs in the compliance portal, administrators and investigators need to be assigned one of the following audit-related roles:
- Audit Manager: Can do everything related to audit logs (search, export, manage settings).
- Audit Reader: Can only search and export existing audit logs.
New Audit Search offers enhanced search capabilities
- Background Searches: Run searches without keeping your browser open. Jobs continue running even if you close the window.
- Search History: Access completed searches for 30 days, allowing you to review past investigations.
- Improved Efficiency: Each admin can run up to 10 concurrent searches, with one dedicated to unfiltered searches for broader investigations.
Compliance posture status provides a quick overview of your organization’s security posture using data from the Compliance Manager solution. Here’s what you’ll find:
- Compliance Progress Bars: These bars visually represent your progress towards meeting the requirements of various regulatory assessments.
- Top Assessment Breakdown: This section highlights the completion rates for your most critical assessments and the specific services covered by each assessment.
How is the Score Calculated?
The overall score is built upon individual actions taken to address security concerns. Here’s a breakdown of the contributing factors:
- Improvement Actions: Each action has a weighted score based on the potential risk it addresses. More details on action types and scoring are available in the “Action types and scoring” section (link not provided).
- Assessments: These scores are derived from the improvement action scores. Each action, whether created by Microsoft or your organization, is counted only once within an assessment, regardless of how often it appears.
An alert policy acts like a detective in your Microsoft Purview system. It defines specific criteria to identify potentially risky user or admin activity. Here’s how it works:
- Rules and Conditions: This section details what triggers an alert. It can be specific user actions, admin activities, or a combination of both.
- Who Triggers the Alert: You can choose to target all users or define a specific group of users whose activities will trigger the alert.
- Threshold for Alerts: Not every single instance needs to raise an alarm. The policy sets a threshold, meaning the activity needs to occur a certain number of times within a period before an alert is triggered.
- Category and Severity: These act like filing labels for your alert policies. You can categorize them based on the type of activity (e.g., data access, suspicious logins) and assign a severity level (e.g., high risk, low risk). These labels help you organize and prioritize alerts when reviewing them within the Microsoft Purview compliance portal.
Purview Audit retention policies:
- Retaining audit logs for 7 and 30 days requires a Microsoft 365 Enterprise E5 subscription.
- Extended retention periods (3, 5, 7 years) require a 10-Year Audit Log Retention add-on license in addition to an E5 subscription.