Forum Discussion
How do I import Purview Unified Audit Log data related to the use of the Audit Log into Sentinel?
Dear Community, I would like to implement the following scenario in an environment with Microsoft 365 E5 licenses:
Scenario: I want to import audit activities into an Azure Log Analytics workspace linked to Sentinel to generate alerts/incidents as soon as a search is performed in the Microsoft 365 Purview Unified Audit Log (primarily for IRM purposes).
Challenge: Neither the "Microsoft 365" connector, nor the "Defender XDR" or "Purview" connectors (which appear to be exclusively Azure Purview) are importing the necessary data.
Question: Which connector do I have to use in order to obtain Purview Unified Audit Log activities about the use of the Purview Unified Audit Log so that I can use them to build corresponding rules in Sentinel?
Thank you!
1 Reply
The Microsoft 365 connector is what you need, see for example https://learn.microsoft.com/en-us/azure/sentinel/connect-services-api-based
There are few additional connectors that cover Entra ID data, Defender, Information protection and so on. It all boils down to what data you need.
