Microsoft Purview | Audit: New logs for Standard users

Originally posted by Microsoft Jan 31, 2024 Uncategorized 0 Comments

In Microsoft Purview, new standard logs will be available for Microsoft Exchange, Microsoft SharePoint, and Microsoft Teams workloads.

This message is associated with Microsoft 365 Roadmap IDs 182259 (Exchange and SharePoint) and 182242 (Teams).

When this will happen:

Public Preview: We will begin rolling out early-March 2024 and expect to complete by mid-June 2024.

Standard Release: We will begin rolling out late June 2024 and expect to complete by mid-September 2024.

How this will affect your organization:

Microsoft Purview is expanding access to wider cloud security activity events for Exchange, Teams, and SharePoint. As part of the changes, standard users of Purview Audit will begin to generate new Exchange, Teams, and SharePoint events that were previously generated only for Audit Premium licensed users.

Here are the new standard logs:

Exchange

  • Send
  • mailitemsaccessed
  • searchqueryinitiatedexchange

SharePoint

  • searchqueryinitiatedsharepoint

Teams

  • meetingparticipantdetail
  • messagesent
  • messageslisted
  • meetingdetail
  • messageupdated
  • chatretrieved
  • messageread
  • messagehostedcontentread
  • subscribedtomessages
  • messagehostedcontentslisted
  • chatcreated
  • chatupdated
  • messagecreatednotification
  • messagedeletednotification
  • messageupdatednotification

What you need to do to prepare:

The Exchange MailItemsAccessed and send logs are enabled by default unless the mailbox’s DefaultAuditSet settings were modified. To ensure these new standard logs are generated, an admin may need to ensure the appropriate mailbox settings are enabled.

Use this command to check if a mailbox is currently using the default audit settings:

  • Get-Mailbox -Identity <MailboxIdentity>

The DefaultAuditSet property is returned by the Get-Mailbox cmdlet. A mailbox using the defaults will show the following result:

  • DefaultAuditSet : {Owner,Admin,Delegate}

If any of those values are missing, the mailbox is not using the default audit settings. To ensure the new standard Exchange logs mailitemsaccessed and Send are stored, admins will either need to make sure Audit mailboxes are configured to the default settings or add the new standard logs to each mailbox. These changes can be made in Exchange Online PowerShell:

Option 1: Reset each mailbox to the default settings using this command:

  • Set-Mailbox -Identity <MailboxIdentity> -DefaultAuditSet Admin,Delegate,Owner

Option 2: Add the new standard logs to each mailbox. This command will add (only) the new Standard logs for each mailbox, retaining any existing customization, but any future changes to the defaults will need to be added when those future logs are released:

  • Set-Mailbox -Identity <MailboxIdentity> -AuditOwner {@Add=”MailItemsAccessed”,”Send” } -AuditAdmin {@Add=”MailItemsAccessed”,”Send”} -AuditDelegate {@Add=”MailItemsAccessed”}

For more information: How Microsoft is expanding cloud logging to give customers deeper security visibility | Microsoft Security Blog

Message ID: MC711333

No comments yet

Leave a Reply

Joao Ferreira

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

%d bloggers like this: