Microsoft Purview Audit: longer retention period and other updates

Microsoft Purview Audit logs have come a long way in the past year or so.

They play an increasing role in tracking down security threats, conducting investigations and maintaining compliance with regulations.

Recently, there was a major hack where an attacker used a stolen Microsoft account key to gain access to email accounts in several organizations, including government agencies. As part of Microsoft’s response, they are updating the Purview Audit logs to help customers protect their systems.

Despite the concerning security incident, better audit logs are welcome updates to help boost security.

What is Purview Audit?

Microsoft Purview Audit is a tool that provides crucial event data on the Microsoft 365 platforms to help administrators investigate possible security breaches and determine the scope of compromise. It also helps administrators visualize cloud log data across their organization.

There are thousands of user and admin activities that happen across the various Microsoft 365 apps, and these are recorded and retained in Purview Audit Logs.

Administrators can search the logs from the Microsoft Purview compliance portal and by selecting Audit from the navigation:

There are two standard license options for audit logs:

• Purview Audit (Standard) – comes with E3 licenses

• Purview Audit (Premium) – comes with E5 licenses or with a separate Compliance add-on

Retention period will double

Today, with a standard license, audit logs are kept for 90 days.

Premium licenses such as E5 give customers the option to keep audit logs for up to 10 years.

With the update coming in September 2023, Microsoft 365 customers on a standard license will have access to 180 day retention period. This is double the previous default!

This will allow customers to do more thorough investigations, spot longer-running patterns and identify threats they may not have noticed before.

Looking for even longer retention periods on audit logs? Check out Gravity Union’s cost effective tool for keeping logs for years: Gravity MOAT.

More activities in the Purview Audit log

In addition to the longer retention period, organizations will get about 30 additional activities in the log. These were previously only available at the Microsoft Purview Audit (Premium).

These activities should help organizations in better detecting threats and take action on more possible incidents.

Here’s a sampling of the new events that will be available (source):

For Exchange:

• MailItemsAccessed

• SearchQueryInitiatedExchange

• Send

For SharePoint:

• SearchQueryInitiatedSharepoint

For Teams:

• MessageSent

• MessagesListed

• ChatRetrieved

• MessageRead

• MeetingDetail

• MeetingParticipantDetail

• …and more

There are more events that will be available for Teams, Viva Engage (Yammer) and Stream than we’ve listed here. The most useful one for security threats initially will be the more detailed Exchange actions – admins can now see if bad actors sent email, accessed emails and what they searched for.

The US Cybersecurity and Infrastructure Security Agency (CISA) has been in discussion with Microsoft to make more detailed logs available, and it looks they are supportive of the changes:

Do you still need Purview Audit (Premium)?

The Premium Audit experience will still be differentiated and useful to some organizations – especially highly regulated ones. Microsoft says that Purview Audit Premium provides "longer default retention periods and automation support for importing log data into other tools for analysis."

With either license though, this is a security win for customers!

Learn more

Microsoft’s announcement: How Microsoft is expanding cloud logging to give customers deeper security visibility, Accessed July 25, 2023

CISA’s announcement: When Tech Vendors Make Important Logging Info Available for Free, Everyone Wins, Accessed July 25, 2023

Reach out for advice or training on how to best use audit logs, or a demo of our audit product, MOAT.