Forum Discussion
How do I import Purview Unified Audit Log data related to the use of the Audit Log into Sentinel?
Dear Community, I would like to implement the following scenario in an environment with Microsoft 365 E5 licenses:
Scenario: I want to import audit activities into an Azure Log Analytics workspace linked to Sentinel to generate alerts/incidents as soon as a search is performed in the Microsoft 365 Purview Unified Audit Log (primarily for IRM purposes).
Challenge: Neither the "Microsoft 365" connector, nor the "Defender XDR" or "Purview" connectors (which appear to be exclusively Azure Purview) are importing the necessary data.
Question: Which connector do I have to use in order to obtain Purview Unified Audit Log activities about the use of the Purview Unified Audit Log so that I can use them to build corresponding rules in Sentinel?
Thank you!
2 Replies
The Microsoft 365 connector is what you need, see for example https://learn.microsoft.com/en-us/azure/sentinel/connect-services-api-based
There are few additional connectors that cover Entra ID data, Defender, Information protection and so on. It all boils down to what data you need.
Thanks, VasilMichev!
The "Microsoft 365" connector was my first shot, and I'm importing data for SPO and EXO through that. However, it seems like it covers no Purview activities at all. What I need: Which user conducted when an audit log search and with what kind of search query.
