New Exchange and SharePoint Logs for Microsoft Purview Audit Standard Users – Future Release (September 2024)
Microsoft Purview, a family of data governance, risk, and compliance solutions, is introducing new features to enhance its visibility and control over cloud security activity events for Microsoft Exchange and SharePoint. These events are generated by the Purview Audit service, which monitors and records user and system actions across various Microsoft 365 workloads.
Previously, Purview Audit offered two types of licenses: Audit Standard and Audit Premium. Audit Standard provided basic auditing capabilities for common events, while Audit Premium offered advanced auditing features for more granular and sensitive events. However, some customers requested access to certain events that were only available for Audit Premium users, even though they did not need the full functionality of the premium license.
To address this feedback, Purview Audit is expanding its event coverage for Audit Standard users by adding four new events that were previously exclusive to Audit Premium users. These events are related to Microsoft Exchange and SharePoint activities, and they are:
- MailItemsAccessed: This event occurs when a user or a delegate accesses one or more mail items in a mailbox. This event can help detect unauthorized or suspicious access to email messages.
- Send: This event occurs when a user sends an email message from their mailbox or on behalf of another user. This event can help track the source and destination of email communications.
- SearchQueryInitiatedExchange: This event occurs when a user performs a search query in Exchange Online. This event can help monitor the search activities and keywords used by users.
- SearchQueryInitiatedSharepoint: This event occurs when a user performs a search query in SharePoint Online.
These events will now be available for all Audit Standard users, regardless of their license type.
This implies that clients with only an Audit Standard license can attend these events without needing to upgrade to an Audit Premium license.
Nevertheless, clients holding an Audit Premium license will still receive added advantages over Audit Standard users.
One of these perks is the capability to access a greater number of metadata fields for specific events.
For instance, for the MailItemsAccessed event, Audit Premium users will have visibility into the SensitivityLabel field, indicating the sensitivity level of the accessed mail item.
This feature aids in identifying and safeguarding sensitive or confidential information in email messages.
Another benefit includes access to additional events not accessible to Audit Standard users.
For instance, Audit Premium users can monitor events connected to eDiscovery activities, such as eDiscoveryCaseCreated, eDiscoveryCaseUpdated, eDiscoveryHoldApplied, and eDiscoverySearchStarted.
These events assist in tracking and auditing the legal discovery procedures and activities carried out by users.
By broadening its event coverage for Audit Standard users, Purview Audit seeks to offer more flexibility and value to its clients seeking increased visibility and control over their cloud security activity events for Microsoft Exchange and SharePoint.
By expanding its event coverage for Audit Standard users, Purview Audit aims to provide more flexibility and value for its customers who want to gain more visibility and control over their cloud security activity events for Microsoft Exchange and SharePoint. Customers can choose the license type that best suits their needs and budget, while still enjoying the benefits of Purview Audit’s comprehensive and integrated auditing capabilities.