Summary
This module explored the key functionality in Microsoft Purview Audit (Premium). Audit (Premium) builds on the capabilities of Audit (Standard). It does so by providing audit log retention policies, longer retention of audit records, high-value crucial events, and higher bandwidth access to the Office 365 Management Activity API.
The module began by examining the setup requirements for Audit (Premium). Setup is basically a matter of maintaining proper organization subscriptions and user licensing. You then reviewed the primary differences between Audit (Standard) and Audit (Premium). You learned that one of the key features of Audit (Premium) is that it can help organizations conduct forensic and compliance investigations by providing access to important events, such as:
- when mail items were accessed.
- when mail items were replied to and forwarded.
- when and what a user searched for in Exchange Online and SharePoint Online.
These events can help organizations investigate possible breaches and determine the scope of compromise.
The module then examined how to implement Audit (Premium). You reviewed the following steps that make up this workflow:
- Set up Audit (Premium) for users.
- Enable logging of crucial events.
- Create audit log retention policies.
- Perform forensic investigations.
The module concluded by focusing on the final two activities in this workflow - setting up audit log retention policies and performing investigations of compromised accounts.