Audit Log & Information Protection Deep Dive Audit Log & Information Protection Deep Dive
Tiefgehende Referenz zu Unified Audit Log, Audit Premium, Azure Information Protection, Information Barriers, Insider Risk und Communication Compliance. Deep reference for the Unified Audit Log, Audit Premium, Azure Information Protection, Information Barriers, Insider Risk, and Communication Compliance.
Hinweis zur Struktur
Structure note
Diese Seite kombiniert Architektur, Governance, Workload-Besonderheiten, Betriebsdetails und PowerShell-Referenzen für Microsoft Purview. This page combines architecture, governance, workload-specific behavior, operational details, and PowerShell reference material for Microsoft Purview.
DLP Deep Dive
DLP Deep Dive
Direkt zur Deep-Dive-Seite wechseln Jump directly to the deep-dive page
Sensitivity Labels Deep Dive
Sensitivity Labels Deep Dive
Direkt zur Deep-Dive-Seite wechseln Jump directly to the deep-dive page
Retention Deep Dive
Retention Deep Dive
Direkt zur Deep-Dive-Seite wechseln Jump directly to the deep-dive page
eDiscovery Deep Dive
eDiscovery Deep Dive
Direkt zur Deep-Dive-Seite wechseln Jump directly to the deep-dive page
Audit & Information Protection Deep Dive
Audit & Information Protection Deep Dive
Direkt zur Deep-Dive-Seite wechseln Jump directly to the deep-dive page
Unified Audit Log
Unified Audit Log
Retention und Record Types Retention and record types
Audit Log Search
Audit log search
Filter und Export Filters and export
Audit Activities
Audit activities
50+ wichtige Events 50+ important events
Audit Premium
Audit Premium
High-value events High-value events
Integration
Integration
API, SIEM, Automation API, SIEM, automation
Azure Information Protection
Azure Information Protection
Scanner und Client Scanner and client
Information Barriers
Information Barriers
Segmente und Richtlinien Segments and policies
Insider Risk
Insider Risk
Policies und Triage Policies and triage
Communication Compliance
Communication Compliance
Vorlagen und Review Templates and review
PowerShell
PowerShell
Cmdlets Cmdlets
Unified Audit Log Unified Audit Log
Das Unified Audit Log konsolidiert Aktivitäten aus Exchange, SharePoint, OneDrive, Teams, Entra ID, Power BI und vielen weiteren Diensten. Es ist das primäre forensische Rückgrat für Microsoft 365 und Purview. The Unified Audit Log consolidates activities from Exchange, SharePoint, OneDrive, Teams, Entra ID, Power BI, and many other services. It is the primary forensic backbone for Microsoft 365 and Purview.
| Thema Topic | Beschreibung Description | Hinweis Note |
|---|---|---|
| Audit Standard Audit Standard | Standardmäßige Aufbewahrung typischerweise 180 Tage Standard retention typically 180 days | Lizenzabhängig und workloadspezifisch prüfen Validate per license and workload |
| Audit Premium Audit Premium | Erweiterte Retention, wichtige High-value Events und mehr Bandbreite Extended retention, high-value events, and higher bandwidth | Für Security Operations und Investigations wertvoll Valuable for security operations and investigations |
| 1 year / 10 years 1 year / 10 years | Premium kann längere Aufbewahrung und Zusatzrichtlinien ermöglichen Premium can enable longer retention and add-on policies | Mit Compliance-Anforderungen abstimmen Align with compliance obligations |
| Record types Record types | Jedes Ereignis gehört zu einem Dienst- oder Aktivitätstyp Every event belongs to a service or activity type | Hilft bei Filterung und Datenmodell Helps with filtering and data modeling |
| Searchability Searchability | Portal, PowerShell und APIs liefern unterschiedliche Sichten Portal, PowerShell, and APIs provide different views | Nutzungsweg nach Team und Use Case wählen Choose access path by team and use case |
Audit Log Search Audit log search
| Filter Filter | Was gesucht wird What is searched | Beispiel Example |
|---|---|---|
| Date range Date range | Ereignisse in Zeitfenstern Events within time windows | Last 7 days Last 7 days |
| Activity Activity | Spezifische Audit-Aktion Specific audit activity | MailItemsAccessed MailItemsAccessed |
| User User | UPN oder Konto UPN or account | alex@contoso.com alex@contoso.com |
| File / Object File / object | Datei, Site, Mailbox oder Workload-Objekt File, site, mailbox, or workload object | ConfidentialPlan.docx ConfidentialPlan.docx |
| Record type Record type | Dienstkontext des Events Service context of the event | SharePointFileOperation SharePointFileOperation |
| Export results Export results | CSV oder API-Weiterverarbeitung CSV or API downstream processing | SOC evidence package SOC evidence package |
Important Audit Activities Table Important audit activities table
| Activity name Activity name | RecordType RecordType | Description Description |
|---|---|---|
| MailItemsAccessed MailItemsAccessed | Exchange Exchange | Zugriff auf Nachrichteninhalte oder Mailobjekte Access to message contents or mail items |
| Send Send | Exchange Exchange | E-Mail wurde gesendet Email was sent |
| SearchQueryInitiated SearchQueryInitiated | Exchange Exchange | Benutzer startete eine Suche User initiated a search |
| MessageBind MessageBind | Exchange Exchange | Nachricht wurde geöffnet oder gebunden Message was opened or bound |
| Create Create | Exchange Exchange | Objekt wurde erstellt Object was created |
| HardDelete HardDelete | Exchange Exchange | Objekt endgültig gelöscht Object permanently deleted |
| SoftDelete SoftDelete | Exchange Exchange | Objekt weich gelöscht Object soft deleted |
| MoveToDeletedItems MoveToDeletedItems | Exchange Exchange | Element in Gelöschte Objekte verschoben Item moved to Deleted Items |
| Update Update | Exchange Exchange | Nachricht oder Objekt aktualisiert Message or object updated |
| SetMailboxOwnerAsDelegate SetMailboxOwnerAsDelegate | Exchange Exchange | Owner-Delegationseinstellung geändert Mailbox owner delegation changed |
| AddMailboxPermission AddMailboxPermission | Exchange Exchange | Postfachberechtigung hinzugefügt Mailbox permission added |
| RemoveMailboxPermission RemoveMailboxPermission | Exchange Exchange | Postfachberechtigung entfernt Mailbox permission removed |
| FileAccessed FileAccessed | SharePointFileOperation SharePointFileOperation | Datei wurde geöffnet oder gelesen File was opened or read |
| FileDownloaded FileDownloaded | SharePointFileOperation SharePointFileOperation | Datei wurde heruntergeladen File was downloaded |
| FileModified FileModified | SharePointFileOperation SharePointFileOperation | Dateiinhalt wurde geändert File content was modified |
| FileDeleted FileDeleted | SharePointFileOperation SharePointFileOperation | Datei wurde gelöscht File was deleted |
| FileShared FileShared | SharePointSharingOperation SharePointSharingOperation | Datei oder Ordner geteilt File or folder shared |
| SharingInvitationCreated SharingInvitationCreated | SharePointSharingOperation SharePointSharingOperation | Einladung zum Teilen erstellt Sharing invitation created |
| SharingPolicyChanged SharingPolicyChanged | SharePoint SharePoint | Freigaberichtlinie geändert Sharing policy changed |
| SiteCollectionCreated SiteCollectionCreated | SharePoint SharePoint | Site Collection erstellt Site collection created |
| FileMoved FileMoved | SharePointFileOperation SharePointFileOperation | Datei verschoben File moved |
| FileCopied FileCopied | SharePointFileOperation SharePointFileOperation | Datei kopiert File copied |
| FolderCreated FolderCreated | SharePointFileOperation SharePointFileOperation | Ordner erstellt Folder created |
| FolderDeleted FolderDeleted | SharePointFileOperation SharePointFileOperation | Ordner gelöscht Folder deleted |
| AnonymousLinkCreated AnonymousLinkCreated | SharePointSharingOperation SharePointSharingOperation | Anyone-Link erstellt Anyone link created |
| UserLoggedIn UserLoggedIn | AzureActiveDirectory AzureActiveDirectory | Benutzer erfolgreich angemeldet User signed in successfully |
| UserLoginFailed UserLoginFailed | AzureActiveDirectory AzureActiveDirectory | Benutzeranmeldung fehlgeschlagen User sign-in failed |
| Add user Add user | AzureActiveDirectory AzureActiveDirectory | Benutzerobjekt angelegt User object created |
| Delete user Delete user | AzureActiveDirectory AzureActiveDirectory | Benutzer gelöscht User deleted |
| Update user Update user | AzureActiveDirectory AzureActiveDirectory | Benutzerattribute geändert User attributes changed |
| Add member to group Add member to group | AzureActiveDirectory AzureActiveDirectory | Gruppenmitgliedschaft erweitert Group membership expanded |
| Remove member from group Remove member from group | AzureActiveDirectory AzureActiveDirectory | Gruppenmitgliedschaft entfernt Group membership removed |
| Add role assignment Add role assignment | AzureActiveDirectory AzureActiveDirectory | Rolle zugewiesen Role assigned |
| Remove role assignment Remove role assignment | AzureActiveDirectory AzureActiveDirectory | Rolle entzogen Role removed |
| Change user password Change user password | AzureActiveDirectory AzureActiveDirectory | Benutzer änderte Kennwort User changed password |
| Reset user password Reset user password | AzureActiveDirectory AzureActiveDirectory | Admin setzte Kennwort zurück Admin reset password |
| Set company information Set company information | AzureActiveDirectory AzureActiveDirectory | Mandantenstammdaten geändert Tenant company information changed |
| Add application Add application | AzureActiveDirectory AzureActiveDirectory | App oder Service Principal erstellt App or service principal created |
| Consent to application Consent to application | AzureActiveDirectory AzureActiveDirectory | App-Berechtigung genehmigt Application consent granted |
| Update application Update application | AzureActiveDirectory AzureActiveDirectory | App-Konfiguration aktualisiert Application configuration updated |
| TeamCreated TeamCreated | MicrosoftTeams MicrosoftTeams | Team erstellt Team created |
| TeamDeleted TeamDeleted | MicrosoftTeams MicrosoftTeams | Team gelöscht Team deleted |
| ChannelCreated ChannelCreated | MicrosoftTeams MicrosoftTeams | Kanal erstellt Channel created |
| ChannelDeleted ChannelDeleted | MicrosoftTeams MicrosoftTeams | Kanal gelöscht Channel deleted |
| MembersAdded MembersAdded | MicrosoftTeams MicrosoftTeams | Mitglieder zum Team hinzugefügt Members added to the team |
| MembersRemoved MembersRemoved | MicrosoftTeams MicrosoftTeams | Mitglieder entfernt Members removed |
| TeamSettingChanged TeamSettingChanged | MicrosoftTeams MicrosoftTeams | Team-Einstellung geändert Team setting changed |
| MeetingParticipantDetail MeetingParticipantDetail | MicrosoftTeams MicrosoftTeams | Besprechungsteilnehmerdetails protokolliert Meeting participant details logged |
| PowerBIViewReport PowerBIViewReport | PowerBI PowerBI | Bericht in Power BI angesehen Report viewed in Power BI |
| PowerBIExportReport PowerBIExportReport | PowerBI PowerBI | Bericht exportiert Report exported |
| DatasetAccessed DatasetAccessed | PowerBI PowerBI | Dataset genutzt Dataset accessed |
| DlpRuleMatch DlpRuleMatch | DLP DLP | DLP-Regel hat Inhalt erkannt DLP rule matched content |
| SensitivityLabelApplied SensitivityLabelApplied | InformationProtection InformationProtection | Label angewendet Label applied |
| SensitivityLabelChanged SensitivityLabelChanged | InformationProtection InformationProtection | Label geändert oder entfernt Label changed or removed |
| RetentionLabelApplied RetentionLabelApplied | RecordsManagement RecordsManagement | Retention Label angewendet Retention label applied |
| AuditLogSearch AuditLogSearch | SecurityComplianceCenter SecurityComplianceCenter | Audit-Suche ausgeführt Audit search executed |
Audit Premium Audit Premium
| Premium-Funktion Premium feature | Beschreibung Description | Nutzen Benefit |
|---|---|---|
| High-value events High-value events | Zusätzliche Ereignisse wie MailItemsAccessed oder SearchQueryInitiated mit erweitertem Kontext Additional events such as MailItemsAccessed or SearchQueryInitiated with richer context | Wichtiger für Incident Response More useful for incident response |
| Longer retention Longer retention | Ein Jahr oder mit Add-on zehn Jahre One year or ten years with add-on | Erfüllt forensische und regulatorische Anforderungen Meets forensic and regulatory needs |
| Custom audit retention policies Custom audit retention policies | Richtlinien für spezifische Record Types oder Prioritäten Policies for specific record types or priorities | Gezielte Aufbewahrung statt One-size-fits-all Targeted retention instead of one-size-fits-all |
| Higher bandwidth access Higher bandwidth access | Mehr Datenabruf für integrierte Security-Prozesse Higher data retrieval for integrated security workflows | Relevant für SIEM und große Ermittlungen Relevant for SIEM and large investigations |
Integration Integration
| Integration Integration | Beschreibung Description | Praxisnutzen Operational value |
|---|---|---|
| Management Activity API Management Activity API | Programmgesteuerter Abruf von Auditdaten Programmatic retrieval of audit data | Grundlage für SIEM und Drittsysteme Foundation for SIEM and third-party tooling |
| Microsoft Sentinel Microsoft Sentinel | Streaming und Analysen in Sentinel Streaming and analytics in Sentinel | Korrelation mit Identität, Endpoint und Cloud Correlation with identity, endpoint, and cloud |
| Splunk Splunk | Weiterleitung über Connectoren oder API-Collector Forwarding through connectors or API collectors | Nützlich in bestehenden SOC-Landschaften Useful in established SOC environments |
| QRadar QRadar | Parsing und Normalisierung von Auditlogs Parsing and normalization of audit logs | Konsolidierung in IBM-basierten Umgebungen Consolidation in IBM-based environments |
| Power Automate Power Automate | Benachrichtigungen und einfache Reaktionen Notifications and simple reactions | No-code Alerting für Fachabteilungen No-code alerting for business teams |
| Webhooks Webhooks | Event-getriebene Integration in interne Services Event-driven integration into internal services | Schnelle Automatisierung bei definierten Triggern Fast automation on defined triggers |
Azure Information Protection Azure Information Protection
Azure Information Protection bleibt relevant für Alt-Szenarien, Scanner-basierte Klassifizierung on-premises und bestimmte Migrationspfade. Moderne M365-Clients bevorzugen Built-in Labeling, doch der AIP Scanner adressiert weiterhin File Shares und SharePoint Server. Azure Information Protection remains relevant for legacy scenarios, scanner-based classification on-premises, and certain migration paths. Modern Microsoft 365 clients prefer built-in labeling, but the AIP scanner still addresses file shares and SharePoint Server.
| Komponente Component | Beschreibung Description | Typische Aufgabe Typical task |
|---|---|---|
| Unified labeling client Unified labeling client | Legacy-Client für Office und Windows Legacy client for Office and Windows | Spezialfälle ohne Built-in Parität Special cases without built-in parity |
| AIP scanner AIP scanner | Serverkomponente für on-premises Scans Server component for on-premises scans | Dateifreigaben und SharePoint Server scannen Scan file shares and SharePoint Server |
| Network discovery Network discovery | Findet Speicherorte und Risiken vor dem Scannen Finds repositories and risks before scanning | Hilft beim Onboarding neuer Repositories Helps onboard new repositories |
| Content scan jobs Content scan jobs | Definieren Umfang, Tiefe und Aktionen Define scope, depth, and actions | Klassifizieren, labeln, berichten Classify, label, report |
| Repositories Repositories | Dateifreigaben, lokale Serverpfade, SharePoint Server File shares, local server paths, SharePoint Server | Bringt Altbestände in die Governance Brings legacy data into governance |
| Configuration Configuration | Scannerprofile, Proxy, Performance und Schedule Scanner profiles, proxy, performance, and schedule | Betrieb und Skalierung planbar machen Make operations and scaling manageable |
Scanner-Server vorbereiten
Prepare scanner server
Servicekonto, Konnektivität und Ressourcen dimensionieren. Size service account, connectivity, and resources.
Repositories inventarisieren
Inventory repositories
Dateifreigaben, SharePoint Server und Prioritäten festhalten. Document file shares, SharePoint Server, and priorities.
Network discovery ausführen
Run network discovery
Bevor Sie klassifizieren, sollten Speicherorte und Risiken sichtbar sein. Make repositories and risks visible before classification.
Scan jobs konfigurieren
Configure scan jobs
Wählen Sie Report-Only oder automatisches Labeling abhängig von der Reife. Choose report-only or automatic labeling depending on maturity.
Ergebnisse validieren
Validate results
Trefferqualität, Performance und Ausnahmen auswerten. Review hit quality, performance, and exceptions.
Information Barriers Deep Dive Information Barriers deep dive
| Baustein Building block | Beschreibung Description | Beispiel Example |
|---|---|---|
| Segments Segments | Benutzergruppen auf Basis von Attributen wie Abteilung, Land oder Region User groups based on attributes such as department, country, or region | Research, Sales, Finance Research, Sales, Finance |
| Block policy Block policy | Verhindert Kommunikation zwischen Segmenten Prevents communication between segments | Research darf nicht mit Sales chatten Research must not chat with sales |
| Allow policy Allow policy | Erlaubt gezielt definierte Segmentbeziehungen Explicitly allows defined segment relationships | Finance darf mit Legal arbeiten Finance may work with legal |
| Teams scope Teams scope | Chat, Calling, Meetings und Team-Mitgliedschaften Chat, calling, meetings, and team memberships | Regulierte Kommunikationsgrenzen Regulated communication boundaries |
| SharePoint scope SharePoint scope | Site-Zugriff und Dateifreigabe Site access and file sharing | Chinese Walls auf Inhaltebene Chinese walls at content level |
| OneDrive scope OneDrive scope | Freigaben und Zusammenarbeit in OneDrive Sharing and collaboration in OneDrive | Verhindert unzulässige Direktfreigaben Prevents prohibited direct shares |
| Legacy vs multi-segment Legacy vs multi-segment | Älteres Modell vs flexiblere Mehrsegmentunterstützung Older model vs more flexible multi-segment support | Migration und Policy-Design beachten Consider migration and policy design |
Insider Risk Management Insider Risk Management
| Policy template Policy template | Signale Signals | Ziel Goal |
|---|---|---|
| Data theft by departing users Data theft by departing users | Kündigungsdaten, Device-Aktivität, Uploads, USB Departure data, device activity, uploads, USB | Vor Abfluss kritischer Daten warnen Warn before critical data exfiltration |
| Data leaks Data leaks | DLP, Sharing, Device Indicators DLP, sharing, device indicators | Risikoreiches Datenverhalten identifizieren Identify risky data behavior |
| Security policy violations Security policy violations | Browser, Endpoint, Defender-Signale Browser, endpoint, Defender signals | Verstöße gegen Richtlinien erkennen Detect policy violations |
| Patient data misuse Patient data misuse | Healthcare-Connectoren und Zugriffsmuster Healthcare connectors and access patterns | Missbrauch sensibler Gesundheitsdaten erkennen Detect misuse of sensitive health data |
| Indicators Indicators | Office, Device, HR connector, healthcare data Office, device, HR connector, healthcare data | Breite Signalbasis für Risiko-Scores Broad signal base for risk scoring |
| Alert triage Alert triage | Warnungen bewerten, verwerfen oder eskalieren Assess, dismiss, or escalate alerts | Analystenprozess strukturieren Structure analyst workflow |
| Case management Case management | Untersuchungsfälle, Beweise und Notizen Investigation cases, evidence, and notes | Nachvollziehbarkeit und Governance Traceability and governance |
| Analytics Analytics | Trends und Risikoverteilung analysieren Analyze trends and risk distribution | Programmreife steigern Improve program maturity |
| Forensic evidence Forensic evidence | Datei-, Gerät- und Kommunikationsevidenz File, device, and communication evidence | Entscheidungsreife für HR oder Security Decision-grade evidence for HR or security |
Communication Compliance Communication Compliance
| Bereich Area | Beschreibung Description | Beispiel Example |
|---|---|---|
| Detect inappropriate text Detect inappropriate text | Richtlinien gegen beleidigende oder riskante Sprache Policies against abusive or risky language | Harassment review in Teams Harassment review in Teams |
| Detect inappropriate images Detect inappropriate images | Analyse von Bildinhalten Analysis of image contents | Escalation of explicit content Escalation of explicit content |
| Monitor for sensitive info Monitor for sensitive info | SITs und Klassifizierer in Kommunikation prüfen Check SITs and classifiers in communication | PII in regulated chat channels PII in regulated chat channels |
| Direction conditions Direction conditions | Inbound, outbound, internal, external Inbound, outbound, internal, external | Nur interne Chats überwachen Monitor internal chats only |
| Sender / recipient Sender / recipient | Bestimmte Benutzer oder Gruppen im Fokus Focus on specific users or groups | Supervision von Broker-Gruppen Supervision of broker groups |
| Attachment / size Attachment / size | Nachrichtenmerkmale und Anhänge berücksichtigen Take message characteristics and attachments into account | Nur Nachrichten mit Bildern prüfen Review only messages with images |
| Custom keywords Custom keywords | Organisationsspezifische Begriffe einbeziehen Include organization-specific keywords | Sensitive project codenames Sensitive project codenames |
| Review workflow Review workflow | Reviewer, Escalation und Resolution Reviewer, escalation, and resolution | Mehrstufige Eskalation an HR Multi-stage escalation to HR |
PowerShell PowerShell
| Cmdlet Cmdlet | Zweck Purpose | Hinweis Note |
|---|---|---|
| Search-UnifiedAuditLog Search-UnifiedAuditLog | Unified Audit Log durchsuchen Search the unified audit log | Wichtig für Ad-hoc-Forensik Important for ad-hoc forensics |
| Get-AuditRetentionPolicy Get-AuditRetentionPolicy | Audit-Aufbewahrungsrichtlinien prüfen Review audit retention policies | Vor allem bei Audit Premium relevant Especially relevant for Audit Premium |
| Connect-AipService Connect-AipService | AIP-Dienstverbindung herstellen Connect to the AIP service | Für Legacy AIP-Verwaltung For legacy AIP administration |
| Get-AipServiceConfiguration Get-AipServiceConfiguration | AIP-Konfiguration auslesen Read AIP configuration | Hilft bei Scanner- und RMS-Checks Helps with scanner and RMS checks |
| Get-AipServiceTemplate Get-AipServiceTemplate | RMS-Vorlagen prüfen Review RMS templates | Nützlich in Migrationsprojekten Useful in migration projects |
PowerShell
PowerShell
Search-UnifiedAuditLog `
-StartDate (Get-Date).AddDays(-7) `
-EndDate (Get-Date) `
-Operations MailItemsAccessed,FileDownloaded,UserLoggedIn `
-ResultSize 5000
Get-AuditRetentionPolicy | Format-Table Name, Priority, Workload, RetentionDuration
PowerShell
PowerShell
Connect-AipService
Get-AipServiceConfiguration
Get-AipServiceTemplate | Select-Object TemplateId, Name, Status
Praxisempfehlung
Operational recommendation
Purview-Konfigurationen sollten immer zuerst mit Pilotgruppen, Testdaten und klar dokumentierten Ausnahmen validiert werden. Purview configurations should always be validated first with pilot groups, test data, and clearly documented exceptions.