SC-401 - Audit and Alerts
Quick Navigation
Audit Overview
Microsoft Purview Audit provides a unified audit log that captures user and admin activities across Microsoft 365 services. It enables security investigations, compliance reporting, and forensic analysis of what happened, when, and by whom in your Microsoft 365 environment.
Audit log captures activities across:
- Exchange Online (email access, mailbox changes, admin operations)
- SharePoint Online and OneDrive (file access, sharing, permissions changes)
- Microsoft Teams (channel messages, meeting creation, app additions)
- Azure Active Directory / Microsoft Entra ID (sign-ins, role changes, app registrations)
- Microsoft 365 Defender portal (alert actions, policy changes)
- Microsoft Purview (DLP matches, label activities, eDiscovery actions)
- Power BI, Power Platform, Dynamics 365
Auditing must be enabled for your tenant. In most cases it is on by default, but verify by checking the Audit page in the Purview compliance portal. Once enabled, auditing begins collecting records for newly performed activities - it is not retroactive. There is typically a 30-60 minute delay before activities appear in the audit log search results.
Audit (Standard)
Audit (Standard) is the base tier available with Microsoft 365 E3/Business Premium and above.
| Attribute | Audit (Standard) |
|---|---|
| License | Included with Microsoft 365 E3, Business Premium, standalone Exchange Online Plan 2 |
| Default retention | 180 days (updated from 90 days; applies to E3 and higher) |
| Events logged | Thousands of activity types across Microsoft 365 services |
| Search interface | Purview compliance portal - Audit search |
| Export | CSV export of up to 50,000 records per search |
| API access | Office 365 Management Activity API |
Key Standard activities available: FileAccessed, FileModified, FileMoved, FileShared, FileDeleted, Sent (Exchange), MailboxLogin, UserLoggedIn, AddMember (Groups), and hundreds more.
Audit Log Retention Policies
Audit (Premium) allows creating custom audit log retention policies to retain specific audit records for longer than the default period, or to retain records for specific workloads, users, or activity types.
Retention Policy Configuration
| Setting | Options |
|---|---|
| Record type | Target specific workloads (Exchange, SharePoint, AzureAD, Teams, etc.) or all record types |
| Activity | Target specific activities within the workload (e.g., only MailItemsAccessed) or all activities |
| Users | Apply to all users or specific users |
| Retention duration | 3 months, 6 months, 1 year, 3 years, 5 years, or 10 years (10-year requires add-on license) |
| Priority | Lower number = higher priority when multiple policies match the same record |
Default Policy Behavior
Audit (Premium) includes a built-in default retention policy covering all activities for Premium-licensed users:
- Users with E5 or Compliance add-on: 1-year default retention
- Users with only E3: 180-day retention (Standard tier)
- Custom policies override the default for matching records
Searching and Exporting Audit Logs
Using Audit Search in the Purview Portal
- Navigate to Microsoft Purview compliance portal - Audit
- Set the date range (up to 90 days per search for Standard; 1 year or more for Premium)
- Optionally filter by: Activities (specific event types), Users, File/folder/site, IP address, Record type
- Click Search and wait for results (large searches may take minutes)
- Export results to CSV for offline analysis (up to 50,000 records per export)
Audit Search via PowerShell
For programmatic access and searches returning more than 50,000 records, use Exchange Online PowerShell:
Search-UnifiedAuditLog- search audit log with filtering by date, operations, users- Use
-ResultSizeand pagination via-SessionIdand-SessionCommand ReturnLargeSetfor large result sets - Use the Office 365 Management Activity API for SIEM integration (Microsoft Sentinel, Splunk, etc.)
Required Roles for Audit Search
To search audit logs, users need one of:
- Audit Logs role in Microsoft Purview compliance portal (can search and export)
- View-Only Audit Logs role (can search and view, but not export in all cases)
- Global Administrator, Compliance Administrator - have Audit Logs role by default
DLP Alerts
DLP policies can be configured to generate alerts when policy rules are matched, enabling active monitoring and incident response for data protection violations.
DLP Alert Configuration
Within each DLP policy rule, configure incident reports and alerts:
- Alert every time a rule matches: Generates individual alerts for each match event (can create high volume for active policies)
- Aggregate events into a single alert: Groups multiple matches within a time window into one alert (reduces alert fatigue)
- Alert threshold: Set minimum activity count before alert triggers
- Severity level: Low, Medium, High - used for prioritization in alert dashboards
- Email notifications: Send incident reports to specified email addresses when rule matches
DLP Alerts Dashboard
The DLP Alerts dashboard in the Purview compliance portal shows all DLP alert events with:
- Alert severity and status (Active, Investigating, Resolved, Dismissed)
- Activity details: which rule matched, user, file/message details, timestamp
- Evidence details: matched content with highlighted sensitive information
- User activity history: other recent DLP matches for the same user
- Case creation: ability to create an eDiscovery case directly from the DLP alert for further investigation
DLP alerts can also be surfaced in Microsoft Defender XDR (formerly Microsoft 365 Defender) portal as incidents, enabling SOC teams to investigate DLP incidents alongside security alerts in a single pane. This integration requires connecting Purview DLP alerts to Defender XDR in the Defender settings.
Defender XDR Alerts
Microsoft Defender XDR (Extended Detection and Response) consolidates security alerts from multiple Microsoft security products into unified incidents. For SC-401, key alert types include:
| Alert Source | Relevant Alert Types |
|---|---|
| Microsoft Purview DLP | DLP policy match alerts: sensitive data sharing, mass download, external exposure of labeled content |
| Defender for Cloud Apps | Impossible travel, mass download, file shared with too many users, ransomware activity |
| Defender for Endpoint | Possible sensitive data exfiltration, USB device usage, anomalous file access |
| Defender for Identity | Credential theft, lateral movement, privileged account activities |
| Entra ID Protection | Risky sign-in, leaked credentials, anonymous IP sign-in |
Investigating Data-Related Incidents in Defender XDR
When a DLP alert or MDCA data alert becomes a Defender XDR incident:
- The incident appears in Defender XDR Incidents queue with affected users, assets, and evidence
- Related alerts from other products (e.g., Entra risky sign-in + DLP violation by same user) are automatically correlated
- Advanced Hunting (KQL queries) can correlate audit events, DLP events, and endpoint signals for deep investigation
- Automated investigation and response (AIR) may suggest or automatically take remediation actions
For SC-401, understand the relationship between Purview compliance alerts (DLP Alerts dashboard) and Defender XDR. Compliance teams primarily work in the Purview portal; security teams work in Defender XDR. Both views of the same data - Defender XDR provides broader security context (correlating DLP with sign-in anomalies), while Purview provides deeper compliance context (matched content, policy details).
Content Search and eDiscovery
Content Search and eDiscovery tools allow searching across Microsoft 365 content for legal holds, investigations, and regulatory requests.
Tool Comparison
| Tool | Structure | Capabilities | License |
|---|---|---|---|
| Content Search | Standalone search, no case structure | Search Exchange, SharePoint, OD, Teams; preview; export | E3 and above |
| eDiscovery (Standard) | Case-based organization; holds | Content Search + legal hold management + case access control | E3 and above |
| eDiscovery (Premium) | Full case management with custodians | Standard + custodian management, review sets, advanced analytics (near-duplicate, threading, themes, predictive coding) | E5 or Compliance add-on |
KQL in Content Search
Content Search supports Keyword Query Language (KQL) for precise targeting:
subject:"Project X"- search by email subjectfrom:user@company.com- search by sendersent:2023-01-01..2024-01-01- date range filterkind:email AND confidential- content type plus keywordSensitivityLabel:"Highly Confidential"- search by sensitivity label
eDiscovery (Premium) review sets are a staged collection feature that imports search results into an isolated workspace for legal review. Items in review sets are de-duplicated, near-duplicates are clustered, email threads are reconstructed, and predictive coding (relevance ML model) can be trained to prioritize the most relevant documents. This significantly reduces the volume of documents that human reviewers must examine.
Popular Posts
1Z0-830 Java SE 21 Developer Certification
Azure AI Foundry Hello World
Azure AI Agent Hello World
Foundry vs Hub Projects
Build Agents with SDK
Bing Web Search Agent
Function Calling Agent
Spring Boot + Azure Key Vault Hello World Example
Spring Boot + Elasticsearch + Azure Key Vault Example
Spring Boot Azure AD (Entra ID) OAuth 2.0 Authentication
Deploy Spring Boot App to Azure App Service
Secure Azure App Service using Azure API Management
Deploy Spring Boot JAR to Azure App Service
Deploy Spring Boot + MySQL to Azure App Service
Spring Boot + Azure Managed Identity Example
Secure Spring Boot Azure Web App with Managed Identity + App Registration
Elasticsearch 8 Security - Integrate Azure AD OIDC