Forum Discussion
Missing activity names from Audit Log documentation
Hello underQ,
I agree that this can be frustrating, especially when you're trying to build reliable monitoring or automation around audit events. One approach I've found helpful is to generate the activity yourself in a test tenant and immediately query the Microsoft Purview Audit logs or Microsoft Graph Audit Logs API to capture the exact Operation value. While it's not ideal, it's often the quickest way to validate undocumented or newly introduced activities. Another option is to stream audit logs into Microsoft Sentinel, Log Analytics, or a SIEM and maintain an internal lookup of observed operation names. In larger environments, that tends to become more reliable than relying solely on the published documentation, especially since new workloads and audit events are introduced regularly.
I do agree it would be beneficial if Microsoft maintained a more comprehensive and continuously updated catalog of audit activity names, particularly for organizations that depend on these values for compliance reporting, alerting, and automation.