Size of the Microsoft Purview Audit Log for sizing SIEM / Splunk Storage
Hi there, we plan to export our M365 Audit Logs into a Splunk solution. The license cost is based on the storage needed. my questions: - is there a way to assess the storage used by our Audit logs in Microsoft Purview? - is there a way to calculate the storage needed for a number of users in a give time, e.g. per day/ week for heavy, medium, low M365 usage, I only need rough numbers? - does anybody have experience or numbers of their export to a SIEM system? Any support highly appreciated. Thanks, FranckRepost: Important Announcement: Deprecation of Search-AdminAuditLog and New-AdminAuditLogSearch cmdl
In case you get your Exchange blog posts from the Exchange Team's EHLO blog, you may have missed this doozy: Important Announcement: Deprecation of Search-AdminAuditLog and New-AdminAuditLogSearch cmdlets - Microsoft Community Hub It has been posted in the Security, Compliance and Identity blog instead.
Create an Audit for all sites associated to a Hub Site
There is a specific Hub Site that we created for documents that we have migrated from a legacy system to be reviewed by staff. There are over 20 sites associated with the Hub Site. We pull Audit Searches of activity for use with a PowerBI that we use to help determine activity and volume of usage. I was hoping that there is an easier way to pull the Audits for all of the sites associated with the Hub Site rather than having to pull an audit log for each and every single site.Audit logs for a change made in SP Admin Center didn't show a change from modern auth to legacy auth
I was performing an audit in Microsoft Purview, https://compliance.microsoft.com/auditlogsearch?viewid=Async%20Search I did a New Search (preview) and I selected a person to "monitor" who was granted access to heightened security. I was monitoring to see what they might be doing and or if they were making changes. I did the audit on the account and for the date as "current" as possible. I ran the search, and it didn't show me that they changed from modern authentication to legacy authentication. I noticed it when they told me. The area is here: https://xxxxxxxxx-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/accessControl/LegacyAuthentication Is there a way to have the auditing check the admin centers for admin's performing work and changing things? Thank you. MattPull Audit and Compliance Data via Microsoft Graph
We have been using reports and dashboards in Microsoft Compliance Center. The big issue on those is that the data is only available and limited for 30 days. We need to pull audit/compliance data such as those we have inhttps://compliance.microsoft.com/: a.Microsoft Purview --> Reports: Retention Label Usage, Sensitivity Label Usage, Retention Label Changes, Label trends over the past X days, DLP Policy Matches, DLP Incidents, DLP false positives and overrides, plus b. those we have inMicrosoft Purview --> Reports --> Activity Explorer but for more than 30 days, for any date range we wish to pull the data for and have a report. I would like to know if with Microsoft Graph we can pulling this information via Graph, and then feed it into some PowerBi Dashboard. Any help or directions if you ever had such experience, solution is appreciated. Ali
