The defaults are better than they used to be, but you can still do better.
You likely aren’t collecting all available events to the Unified Audit Log :(
First, not all events are enabled or retained optimally. Consider creating this policy in the Purview portal (leave users and record types blank to collect everything). Retention is based on license…
This policy only applies to users with the Microsoft 365 Advanced Audit SKU assigned, audit records are retained for 1 year. Audit records for users without this SKU are retained for 180 days (thanks CISA for the bump up from 90 days!).
Second, this still doesn’t get everything.. Next we have to enable all the records for mailbox auditing.
But wait, Microsoft totally pinky promises that you don’t need to manage these records because they enable them for you:
Reference: https://learn.microsoft.com/en-us/purview/audit-mailboxes
It would be nice if they actually enabled everything, but they don’t :-/
Even their own documentation states that you have to go modify these records to include SearchQueryInitiated:
And that’s a bummer because once we modify audit records from the default, we don’t inherit new ones automatically
So now we’re on the hook… And if we’re going to manage them, we may as well include everything we can, right?
Here you can see the everything vs the default set, and it’s quite obvious we’re missing just a few :-/
Anyway, I’ve long maintained a script to help enable these records: https://github.com/nathanmcnulty/nathanmcnulty/blob/master/ExchangeOnline/Enable-AdvancedAuditing.ps1
I highly recommend using Azure Automation or similar to ensure all new mailboxes are getting the correct records applied as well. And thanks to @InvictusIR and @allthingssec.bsyk.social for the nudge to review and document all of this again :)
This was shared on the following social media platforms in case you would like to see any questions or comments that were made:
You likely aren't collecting all available events to the Unified Audit Log
— Nathan McNulty (@NathanMcNulty) January 20, 2025
First, not all events are enabled or retained optimally. Consider creating this policy in the Purview portal (leave users and record types blank to collect everything).
Retention is based on license... pic.twitter.com/IEKKfrkpI8
You likely aren't collecting all available events to the Unified Audit Log
First, not all events are enabled or retained optimally. Consider creating this policy in the Purview portal (leave users and record types blank to collect everything).
Retention is based on license…
— Nathan McNulty (@nathanmcnulty.com) January 20, 2025 at 8:06 AM