Microsoft Purview Logs

Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

Overview

Table name: microsoft_purview

Microsoft 365 Purview (Unified Audit Log) events provide detailed records of Information Protection and Sensitivity Label activities across Microsoft 365 services. These logs capture information on actions such as sensitivity label applications, label changes, protection type modifications, and email/content protection events within Microsoft 365 applications (Outlook, SharePoint, OneDrive, Teams, etc.). By analyzing these logs, organizations can track how sensitivity labels are being applied, identify data protection policy compliance, ensure information protection policies are adhered to, and maintain a transparent record for audit purposes. These logs are crucial for maintaining Microsoft 365 compliance, supporting regulatory requirements, and enhancing overall data security.

Important: This data type processes Microsoft 365 Unified Audit Log events (specifically Information Protection/Sensitivity Label events), NOT Azure Purview (Data Governance) logs. These events are typically ingested via Office 365 Management Activity API → Azure Event Hub.

Learn more here.

Send data to Hunters

Hunters supports the ingestion of these logs using Azure Event Hub. Follow the steps below to complete the connection.

STEP 1: Set up Azure Event Hub

Before setting up the connection on the Hunters platform, you'll need to set up and create an Azure Event Hub.

Follow this guide to complete the set up.

STEP 2: Route logs to the Event Hub

Option A: Office 365 Management Activity API (Recommended)

Configure Microsoft 365 Unified Audit Log streaming to Azure Event Hub:

Enable Unified Audit Logging (if not already enabled):
- In Microsoft 365 Compliance Center, go to Audit → Search
- Unified Audit Logging is enabled by default for most organizations
- Verify by attempting to search audit logs
Configure Audit Log Streaming to Event Hub:
- Use PowerShell with Exchange Online Management module:
```
# Connect to Exchange Online
Connect-ExchangeOnline

# Create a subscription to stream audit logs to Event Hub
# Note: This requires Azure Event Hub namespace and Event Hub already created
```
- Or use Microsoft 365 Compliance Center:
  - Navigate to Audit → Export → Configure streaming
  - Select Stream to Azure Event Hub
  - Provide Event Hub connection details
Alternative: Office 365 Management Activity API:
- Use the Office 365 Management Activity API to subscribe to audit log content
- Configure webhook/Event Hub destination for the subscription
- Reference: Microsoft Documentation - Office 365 Management Activity API

Option B: Azure Monitor Diagnostic Settings (If logs are already in Azure Monitor)

If Microsoft 365 audit logs are already collected in Azure Monitor/Log Analytics:

Configure diagnostic settings on the Log Analytics workspace to forward to Event Hub
This requires existing Microsoft 365 audit log collection infrastructure

Note: Do NOT use Azure Purview (Data Governance) diagnostic settings, as those generate a different log format and are not compatible with this data type.

STEP 3: Set up the connection on Hunters

📘 Before you begin

To complete this process you will need the information gathered when following this guide.

To connect logs to Hunters:

Open the Hunters platform and navigate to Data > Data Sources.
Click ADD DATA SOURCES.
Locate the Microsoft Azure panel and click Connect.
The Add Data Flows window opens.
Fill in the required Azure application details, as gathered here under STEP 2.
Under the Data Types section, activate the data types you want to connect.
For each activated data type, fill in the required information, as gathered here:
1. Under STEP 1 - Subscription ID
2. Under STEP 3 - Resource group name and Event Hub namespace and
3. Under STEP 4 - Event Hub name.
OPTIONAL: Under the Consumer group field you can specify a specific Azure Event Hub consumer group, or leave this field empty to use the default consumer group.
Click Test Connection to make sure everything was set up correctly.
Once the connection is established, click Submit.

Expected format

Logs are expected in JSON format.

{
    "_Internal_WorkspaceResourceId": "/subscriptions/asdasd/asd/asd/asd",
    "_ItemId": "a0607082-36d4-11ef-8966-000d3abcf897",
    "ActionSource": "Automatic",
    "ActionSourceDetail": "AutoByReplyOrForward",
    "Application": "Outlook",
    "ClientIP": "1.2.3.4",
    "ContentType": "Email",
    "CurrentProtectionType": {
        "documentEncrypted": false,
        "owner": "",
        "protectionType": 0,
        "templateId": ""
    },
    "CurrentProtectionTypeName": "None",
    "DeviceName": "QADO100017",
    "EmailInfo": {
        "cc": [
            "test@test.com",
            "test@test.com",
            "test@test.com"
        ],
        "from": "test@test.com",
        "subject": "RE: Email Subject",
        "to": [
            "test@test.com",
            "test@test.com"
        ]
    },
    "Id": "28f931bf-3dde-42af-9122-746d4c81604b",
    "LabelEventType": "LabelChangedSameOrder",
    "Operation": "SensitivityLabelApplied",
    "OrganizationId": "asdasd-asdasd-asdasd",
    "Platform": "Windows",
    "PreviousProtectionType": {
        "documentEncrypted": false,
        "owner": "",
        "protectionType": 0,
        "templateId": ""
    },
    "PreviousProtectionTypeName": "None",
    "ProtectionEventTypeName": "Unchanged",
    "RecordType": 83,
    "RecordTypeName": "SensitivityLabelAction",
    "SensitivityLabelId": "df6d7d17-467a-4c8a-bc82-0da4d92ddbea",
    "TargetLocation": "Cloud",
    "TenantId": "aasd-asdsad-asdasd",
    "TimeGenerated": "2024-06-30T11:27:52.0000000Z",
    "Type": "MicrosoftPurviewInformationProtection",
    "UserId": "test@test.com",
    "UserKey": "asdasd-asdasd-asdasd",
    "UserType": "Regular",
    "Workload": "PublicEndpoint"
}