Expanding audit logging and retention within Microsoft Purview for increased security visibility

Since our announcement in July 2023, we have made significant efforts to enhance the access to Microsoft Purview’s audit logging.1 This ongoing work expands accessibility and flexibility to cloud security logs, which began rolling out to customers around the world in September 2023. Our decision to update the scope of log data accessible from Microsoft’s cloud infrastructure resulted from a close collaboration with both commercial and government customers, as well as ongoing engagement with the Cybersecurity and Infrastructure Security Agency (CISA). It is important to emphasize that log data, while an invaluable resource, is not a preventive measure against cyberattacks. Rather, it plays a pivotal role in incident response by helping uncover auditable insights into the methods by which various entities, such as user identities, applications, and devices, interact with a customer’s cloud-based services. In addition to that vital work, we have several other updates coming to Microsoft Purview Audit in the coming weeks.

Microsoft Purview Audit

Discover new capabilities that will transform how you secure your organization’s data across clouds, devices, and platforms.

Microsoft Cyber Defense Operations Center.

New default retention period for activity logs

Starting in October 2023, we began rolling out changes to extend default retention to 180 days from 90 for audit logs generated by Audit (Standard) customers. Audit (Premium) license holders will continue with a default of one year, and the option to extend up to 10 years. Our public roadmaps detail when retention changes will reach your organization, starting with worldwide enterprise customers and quickly followed by our government customers in accordance with our standard service rollout process. This update helps all organizations minimize risk by increasing access to historical audit log activity data that is critical when investigating the impact from a security breach incident or accommodating a litigation event.

New logs for increased security

Every day, Microsoft Purview Audit Logs record and retain the thousands of user and admin activities that take place in Microsoft 365 applications. Authorized administrators can search and access the logs from the Microsoft Purview compliance portal to determine the scope of a compromise and enhance their investigations. Audit (Standard) license holders will be able to access an additional 30 audit logs, shown in the table below over the next several months. To learn more about when the logs will be available in your tenant, please visit the Public roadmap.

Exchange
Send, MailItemsAccessed,
SearchQueryInitiatedExchange

SharePoint Online
SearchQueryInitiatedSharePoint

Stream

StreamInvokeGetTranscript, streamInvokeChannelView,
StreamInvokeGetTextTrack, StreamInvokeGetVideo,
StreamInvokeGroupView

Microsoft Teams
MeetingParticipantDetail, MessageSent,
MessagesListed, MeetingDetail,
MessageUpdated, ChatRetrieved
MessageRead, MessageHostedContentRead,
SubscribedToMessages, MessageHostedContentsListed,
ChatCreated, ChatUpdated
MessageCreatedNotification, MessageDeletedNotification,
MessageUpdatedNotification

Microsoft Viva Engage

ThreadViewed, ThredAccessFailure,
MessageUpdated, FileAccessFailure,
MessageCreation, GroupAccessFailure

Microsoft has worked closely with CISA to identify these critical logs and include them in our Microsoft Purview Audit (Standard) license. Audit (Premium) license holders will continue to get longer default retention, broader access to export data, higher bandwidth API access, and logs enriched by Microsoft’s AI-powered intelligent insights.

Additional enhancements recently released and coming soon

In addition to the retention extension and newly available logs, we also have a number of new enhancements in Purview Audit recently released or coming soon, that will help improve your experience:

  • Audit Search Graph API: Programmatically access new async Audit Search experience for improved reliability and search completeness, through Microsoft Graph API. 
  • Granular scoping with role-based access controls: Delegate role-based permissions to users or analysts in a granular way and access role-based information with Audit search results.  
  • Audit Custom Activities Search: Admins can use the custom search bar to search for several audit log events directly. 
  • Customized retention policies (short): Customers with the 10-Year Audit Log Retention add-on for Microsoft Purview Audit (Premium) can create additional customized retention policies (7 days, 30 days, three years, five years, and seven years retention). And customers with the Audit (Premium) SKU will have additional short-term retention policies available (7 days and 30 days).
  • Customized retention policies (long): New long-term retention policies for the 10-Year Audit Log Retention add-on for Microsoft Purview Audit (Premium) (three years, five years, and seven years).

We are pleased to share today’s cloud logging update as a continuation of the thoughtful conversations we’ve had with our security experts, customers, and influential authorities like CISA. Please visit the Public roadmap to get the latest information on updates coming to Microsoft Purview Audit. 

Learn more

Learn more about Microsoft Purview Audit or sign up now for a free trial.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X, formerly known as Twitter, (@MSFTSecurity) for the latest news and updates on cybersecurity. 


1Expanding cloud logging to give customers deeper security visibility, Vasu Jakkal. July 19, 2023.

READ MORE HERE