Get started with activity explorer
Activity explorer allows you to monitor what's being done with your labeled content. Activity explorer provides a historical view of activities on your labeled content. The activity information is collected from the Microsoft 365 unified audit logs, transformed, and then made available in activity explorer UI. Activity explorer reports on up to 30 days worth of data.
Activity explorer gives you multiple ways to sort and view the data.
Filters
Filters are the building blocks of activity explorer, each focusing on a different dimension of the collected data. There are about 50 different individual filters available for use, some are:
- Date range
- Activity type
- Location
- Sensitivity label
- User
- Client IP
- Device name
- Is protected
To see them all, open the filter pane in activity explorer and look at the dropdown list.
Note
Filter options are generated based on the first 500 records to ensure optimal performance. This may result in some values not being displayed in the filter dropdown.
Filter sets
Activity explorer comes with predefined sets of filters to help save time when you want to focus on a specific activity. Use filter sets to quickly provide you with a view of higher level activities than individual filters do. Some of the predefined filter sets are:
- Endpoint DLP activities
- Sensitivity labelds applied, changed, or removed
- Egress activities
- DLP policies that detected activities
- Network DLP activities
- Protected Browser
You can also create and save your own filter sets by combining individual filters.
Security Copilot in activity explorer (preview)
In preview, Microsoft Security Copilot in Microsoft Purview is embedded in activity explorer. It can help efficiently drilldown into Activity data and help you identify activities, files with sensitive info, users, and additional details that are relevant to an investigation.
Important
Be sure to check the responses from Security Copilot for accuracy and completeness before taking any action based on the information provided. You can provide feedback to help improve the accuracy of the responses.
Data hunting
Security Copilot skills use of all the data available to Microsoft Purview, filters and filter sets available in activity explorer and uses machine learning to provide you with insights into the activity (sometimes referred to as data hunting) on your data that is most important to you.
- Show me the top 5 activities from the past week
- Filter and investigate activities
- Find files used in specific activities
Selecting a prompt will automatically open the Security Copilot side card and show you the results of the query. You can then further refine the query.
Natural language to filter set generation
You can use the prompt box to enter complex natural language queries to generate filter sets. For example, you can enter:
'Filter and investigate files copied to cloud with sensitive info type credit card number for past 30 days.'
Security Copilot will generate a filter set for your query. You should then review the filter to make sure it's what you want and then you can apply it to the data.
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
Prerequisites
SKU/subscriptions licensing
Before you start using DLP policies, confirm your Microsoft 365 subscription and any add-ons.
For information on licensing, see Microsoft 365, Office 365, Enterprise Mobility + Security, and Windows 11 Subscriptions for Enterprises.
Permissions
An account must be explicitly assigned membership in any one of these role groups, or must be explicitly granted the role.
Roles and Role Groups
There are roles and role groups that you can use to fine-tune your access controls. To learn more about them, see Permissions in the Microsoft Purview compliance portal.
Microsoft Purview roles
- Information Protection Admin
- Information Protection Analyst
- Information Protection Investigator
- Information Protection Reader
Microsoft Purview Role Groups
- Information Protection
- Information Protection Admins
- Information Protection Investigators
- Information Protection Analysts
- Information Protection Readers
Microsoft 365 roles
- Compliance Admins
- Security Admins
- Compliance Data Admins
Microsoft 365 Role Groups
- Compliance Administrator
- Security Administrator
- Security Reader
Activity types
Activity explorer gathers information from the audit logs of multiple sources of activities.
Some examples of the Sensitivity label activities and Retention labeling activities from applications native to Microsoft Office, the Microsoft Information Protection client and scanner, SharePoint, Exchange (sensitivity labels only), and OneDrive include:
- Label applied
- Label changed (upgraded, downgraded, or removed)
- Autolabeling simulation
- File read
For the current list of activities listed in Activity explorer, go into Activity explorer and open the acitivity filter. The list of activities is available in the dropdown list.
Labeling activity specific to the Microsoft Information Protection client and scanner that comes into Activity explorer includes:
- Protection applied
- Protection changed
- Protection removed
- Files discovered
For more detailed information on what labeling activity makes it into Activity explorer, see Labeling events available in Activity explorer.
In addition, using Endpoint data loss prevention (DLP), activity explorer gathers DLP policy matches events from Exchange, SharePoint, OneDrive, Teams Chat and Channel, on-premises SharePoint folders and libraries, on-premises file shares, and devices running Windows 10, Windows 11, and any of the three most recent major macOS versions. Some example events gathered from Windows 10 devices include the following actions taken on files:
- Deletion
- Creation
- Copy to clipboard
- Modify
- Read
- Rename
- Copy to network share
- Access by an unallowed app
Understanding the actions that are taken on content with sensitivity labels helps you determine whether the controls that you have in place, such as Microsoft Purview Data Loss Prevention policies, are effective. If not, or if you discover something unexpected (such as a large number of items labeled highly confidential that are downgraded to general), you can manage your policies and take new actions to restrict the undesired behavior.
Note
Activity explorer doesn't currently monitor retention activities for Exchange.
Note
In case the Teams DLP verdict is reported as false positive by the user, the activity will be showing as DLP infoin the list on activity explorer. The entry will not have any rule and policy match details present but will show synthetic values. There will also be no incident report generated for false positive reporting.
Activity type events and alerts
This table lays out the events that are triggered in Activity Explorer for three sample policy configurations, depending on whether or not a policy match is detected.
| Policy configuration | Activity Explorer event triggered for this action type | Activity Explorer event triggered when a DLP rule is matched | Activity Explorer alert triggered |
|---|---|---|---|
| Policy contains a single rule allowing the activity without auditing it. | Yes | No | No |
| Policy contains two rules: Matches for Rule #1 are allowed; policy matches for Rule #2 are audited. | Yes (Rule #2 only) |
Yes (Rule #2 only) |
Yes (Rule #2 only) |
| Policy contains two rules: Matches fore both rules are allowed and not audited. | Yes | No | No |