1.7 Microsoft Purview
Purview is not primarily a security operations tool. It is a data governance, compliance, and protection platform. But it contains critical data sources for investigations: the unified audit log, DLP alerts, and insider risk signals. It is the place you go when you need to know who accessed what data and when.
When other logs do not have what you need, the unified audit log usually does. It captures activity across the entire M365 environment with up to 180 days of retention on E5. The MailItemsAccessed event is critical for determining what an attacker saw during mailbox compromise.
Unified Audit Log. The most comprehensive record of user and admin activity across M365. It captures file access, email activity, Teams conversations, SharePoint changes, admin actions, and mailbox activity. Retention is up to 180 days on E5 (90 days on E3). This is often the data source of last resort when other logs do not have what you need.
Content Search. Search across mailboxes, SharePoint sites, and Teams for specific content. Used during investigations to find what data an attacker accessed or exfiltrated.
eDiscovery. Legal hold and investigation tool. Places mailboxes and sites on hold to prevent data deletion during an investigation. Essential when an incident may lead to legal proceedings.
Data Loss Prevention (DLP). Policies that detect and prevent sharing of sensitive information — credit card numbers, national insurance numbers, health records, confidential documents. DLP alerts surface when users attempt to share sensitive data via email, Teams, SharePoint, or endpoint activity. Relevant to insider threat investigations (Module 18).
Insider Risk Management. ML-based detection of risky user behaviour patterns: data theft by departing employees, policy violations, security violations. Generates risk signals that can feed into Sentinel.
Sensitivity Labels. Classification and protection tags applied to documents and emails. They control encryption, access restrictions, and visual marking.
Audit Premium. Extended audit log retention (up to 10 years) and access to crucial audit events. The most important of these is MailItemsAccessed — a record of every time a mail item is read. This event is critical for determining what an attacker saw during a compromised mailbox investigation in the AiTM and BEC scenarios (Modules 13 and 14).
Key data tables
Unified audit log data is accessible via the Purview portal and via Sentinel ingestion (the OfficeActivity table). DLP alerts surface in the Defender XDR incident queue with E5 Compliance.
How it connects
Unified audit log data is ingestible into Sentinel for custom detections. DLP alerts feed into the Defender XDR incident queue. Insider risk signals can trigger Sentinel analytics rules. eDiscovery holds preserve evidence during investigations managed from any other tool. The MailItemsAccessed audit event is critical for AiTM and BEC investigations (Modules 13 and 14).
Key takeaways
- Purview is not a security tool, but it contains critical data sources for investigations
- The unified audit log is the most comprehensive activity record across M365
MailItemsAccessed(Audit Premium) tells you exactly what an attacker read in a compromised mailbox- eDiscovery holds preserve evidence when incidents may lead to legal proceedings
- DLP and insider risk signals feed into Sentinel for cross-source detection
Licensing
Basic audit is included in all M365 plans (90-day retention). Audit Premium with MailItemsAccessed and 180-day+ retention requires M365 E5 or the E5 Compliance add-on. DLP, Insider Risk Management, and eDiscovery Premium all require M365 E5 or the E5 Compliance add-on.
Check your understanding
1. During a BEC investigation, you need to determine exactly which emails an attacker read in a compromised mailbox. Which Purview feature provides this data?
2. An incident may lead to legal proceedings. What should you do immediately to protect evidence?