Supervision Policies, Keywords Report

%3CLINGO-SUB%20id%3D%22lingo-sub-1617088%22%20slang%3D%22en-US%22%3ESupervision%20Policies%2C%20Keywords%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1617088%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20Team%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20how%20I%20can%20generate%20a%20report%20on%20%3CSTRONG%3ESupervisionPolicyHitKeywords%3C%2FSTRONG%3E%3F%20We%20have%20several%20supervision%20policies%20that%20have%20been%20configured%20in%20the%20security%20and%20compliance%20center%20and%20I%20would%20like%20to%20be%20able%20to%20provide%20a%20report%20on%20which%20keywords%20are%20being%20hit%2C%20and%20the%20frequency%2C%20count.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20tried%20using%20unified%20audit%20log%2C%20and%20that%20shows%20everything%20but%20the%20keywords%20themselves.%20Also%20Graph%20API%20Doesnt%20seem%20to%20offer%20any%20solutions.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ERobert%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64%22%20target%3D%22_blank%22%3E%40Tony%20Redmond%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1617088%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EeDiscovery%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1619382%22%20slang%3D%22en-US%22%3ERe%3A%20Supervision%20Policies%2C%20Keywords%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1619382%22%20slang%3D%22en-US%22%3E%3CP%3ENot%20sure%20I've%20ever%20seen%20report%20by%20keywords.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F67%22%20target%3D%22_blank%22%3E%40Christophe%20Fiessinger%3C%2FA%3E%20might%20be%20able%20to%20prove%20me%20wrong%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1619713%22%20slang%3D%22en-US%22%3ERe%3A%20Supervision%20Policies%2C%20Keywords%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1619713%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F58%22%20target%3D%22_blank%22%3E%40Vasil%20Michev%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20Vasil.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tried%20using%20this%20command%20here%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESearch-UnifiedAuditLog%20-StartDate%2008%2F21%2F2020%20-EndDate%2008%2F23%2F2020%20-RecordType%20ComplianceSupervisionExchange%20-Operations%20SupervisionRuleMatch%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20works%20in%20that%20it%20shows%20the%20policy%20hit%20but%20not%20the%20keyword%20hit.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERobert%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1623674%22%20slang%3D%22en-US%22%3ERe%3A%20Supervision%20Policies%2C%20Keywords%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1623674%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20Guys%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20updates%3F%20I%20was%20hoping%20someone%20might%20be%20able%20to%20help%20me%20out%20with%20this%20commad%2Frequest%2Freport.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ERobert%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1623820%22%20slang%3D%22en-US%22%3ERe%3A%20Supervision%20Policies%2C%20Keywords%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1623820%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F115883%22%20target%3D%22_blank%22%3E%40Robert%20Bollinger%3C%2FA%3E%26nbsp%3Bgreat%20to%20hear%20you%20are%20using%20Communication%20Compliance.%20We%20don't%20provide%20an%20API%20nor%20the%20Audit%20logs%20will%20help%20get%20count%20of%20keywords%20match%20today.%20We%20do%20plan%20to%20deliver%20such%20report%20around%20October%20timeframe.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1624179%22%20slang%3D%22en-US%22%3ERe%3A%20Supervision%20Policies%2C%20Keywords%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1624179%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F67%22%20target%3D%22_blank%22%3E%40Christophe%20Fiessinger%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20Christophe.%20Yes%20we%20are%20using%20it%20extensively%2C%20on%20a%2020K%20seat%20tenant%2C%20but%20monitoring%20about%20240%20or%20so%20users%20as%20part%20of%20a%20group.%20We're%20utilizing%20RegEx%20Expressions%20to%20to%20capture%20data%20based%20on%20multiple%20conditions.%20(Support%20had%20to%20help%20out%20here%2C%20and%20they%20did!!).%20AS%20well%20as%20Keyword%20based%20reporting.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20know%20of%20a%20way%20to%20a%20report%20of%20user%20activity%20on%20messages%3F%20For%20Example%2C%20if%20a%20user%20reviewed%2010%20messages%2C%20that%20were%20pending%20as%20part%20of%20a%20policy%2C%20can%20we%20report%20on%20the%20actions%20those%20users%20took%3F%20Such%20as%20Escalate%20for%20Investigation%2C%20Tag%20As%2C%20False%20Positive%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERobert%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1625734%22%20slang%3D%22en-US%22%3ERe%3A%20Supervision%20Policies%2C%20Keywords%20Report%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1625734%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F115883%22%20target%3D%22_blank%22%3E%40Robert%20Bollinger%3C%2FA%3E%26nbsp%3Bwe%20are%20getting%20ready%20to%20rollout%20new%20reports%20that%20will%20help%2C%20just%20sent%20you%20a%20private%20message%20with%20my%20contact%20info%20to%20follow-up.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hey Team, 

 

Does anyone know how I can generate a report on SupervisionPolicyHitKeywords? We have several supervision policies that have been configured in the security and compliance center and I would like to be able to provide a report on which keywords are being hit, and the frequency, count. 

 

I have tried using unified audit log, and that shows everything but the keywords themselves. Also Graph API Doesnt seem to offer any solutions. 

 

Thanks, 


Robert 

@Vasil Michev @Tony Redmond 

6 Replies

Not sure I've ever seen report by keywords. @Christophe Fiessinger might be able to prove me wrong :)

@Vasil Michev 

Thanks Vasil. 

 

I tried using this command here: 

 

Search-UnifiedAuditLog -StartDate 08/21/2020 -EndDate 08/23/2020 -RecordType ComplianceSupervisionExchange -Operations SupervisionRuleMatch

 

It works in that it shows the policy hit but not the keyword hit. 

 

Robert 

Hey Guys, 

 

Any updates? I was hoping someone might be able to help me out with this commad/request/report. 

 

Thanks, 


Robert 

@Robert Bollinger great to hear you are using Communication Compliance. We don't provide an API nor the Audit logs will help get count of keywords match today. We do plan to deliver such report around October timeframe.

@Christophe Fiessinger 

 

Thanks Christophe. Yes we are using it extensively, on a 20K seat tenant, but monitoring about 240 or so users as part of a group. We're utilizing RegEx Expressions to to capture data based on multiple conditions. (Support had to help out here, and they did!!). AS well as Keyword based reporting. 

 

Do you know of a way to a report of user activity on messages? For Example, if a user reviewed 10 messages, that were pending as part of a policy, can we report on the actions those users took? Such as Escalate for Investigation, Tag As, False Positive? 

 

Thanks, 

 

Robert 

@Robert Bollinger we are getting ready to rollout new reports that will help, just sent you a private message with my contact info to follow-up.