Someone recently drew my attention to Microsoft Purview's Forensic Evidence Capturing feature under insider risk management-- powerful stuff!  But also a feature I would only want to see turned on if duly authorized.  How can I detect someone enabling this in Microsoft Sentinel?  I tried enabling/disabling it but do not see any events referencing "forensic evidence" generated anywhere.