Introduction
This module explores the key functionality in Microsoft Purview Audit (Premium). Audit (Premium) builds on the capabilities of Audit (Standard). It does so by providing audit log retention policies, longer retention of audit records, high-value crucial events, and higher bandwidth access to the Office 365 Management Activity API.
The module begins by examining the setup requirements for Audit (Premium). Setup is basically a matter of maintaining proper organization subscriptions and user licensing. You'll then review the primary differences between Audit (Standard) and Audit (Premium). One of the key features of Audit (Premium) is that it can help organizations conduct forensic and compliance investigations by providing access to important events, such as:
- when mail items were accessed.
- when mail items were replied to and forwarded.
- when and what a user searched for in Exchange Online and SharePoint Online.
These events can help organizations investigate possible breaches and determine the scope of compromise.
The module then examines how to implement Audit (Premium). You'll review the following steps that make up this workflow:
- Set up Audit (Premium) for users.
- Enable logging of crucial events.
- Create audit log retention policies.
- Perform forensic investigations.
The module then focuses on the final two activities in this workflow - setting up audit log retention policies and performing investigations of compromised accounts.
After completing this module, you'll be able to:
- Describe the differences between Audit (Standard) and Audit (Premium).
- Set up and implement Microsoft Purview Audit (Premium).
- Create audit log retention policies.
- Perform forensic investigations of compromised user accounts.