Enhancing Microsoft Purview Audit Trails

  • Type: Product Insights
  • Date: 23/05/2023
  • Author: Alistair Jones

Purview, a popular tool for auditing file activities, comes with certain limitations that hinder its effectiveness. However, our team has developed a solution to overcome these shortcomings and provide users with enhanced file activity monitoring capabilities.

With Data X-Ray, a specialized tool designed for managing unstructured data in large and diverse corporate data systems, a new capability has been introduced. This capability seamlessly integrates the sensitivity and metadata knowledge provided by Data X-Ray with the management of file activity logs. This enables users to create alerts, analyze trends, and gain valuable insights into file usage and sensitivity.

In this blog post, we will delve into the challenges posed by MS Purview audit trails, outline our solution, discuss potential use cases, and provide insights into future developments.

Challenges with MS Purview Audit Trails

MS Purview audit trails, though useful, have several notable limitations:

  • Limited retention: The audit trails only retain data for 90 days, which can be extended to one year for superior paid tiers.
  • Scalability: Exported audit trail data is limited to 50,000 results, requiring separate searches to download activity for a single day in larger organizations.
  • Cumbersome data format: The audit trail data is stored in CSV format, where JSON-formatted data is contained within a column. This can make it challenging to read and work with the data in Excel or other CSV readers.
  • Lack of sensitivity information: The audit trail does not provide information about the sensitivity of the files, making it challenging to distinguish between public and confidential information.
  • No single view of the entire enterprise data estate: Purview, being focused on the Microsoft suite, does not provide a comprehensive view of an entire enterprise data estate as it either does not connect to all the data sources that an enterprise might have or otherwise does not support all features across all datasources you need to build solid audit trails.
  • Paying twice for data outside of Azure: Since there is a charge for Purview processing and a separate charge for data egress costs from external cloud PaaS/SaaS providers, there is a double charge that can make enabling anything outside of Azure very expensive.

Our Solution

To address these challenges, we have devised a solution that enhances the MS Purview audit trails for Microsoft systems and facilitates their analysis along with other data sources the enterprise might have. Here's how it works:

  • Filtering and enrichment: We read the MS audit trail, filter for the desired events, and enrich them with sensitivity information.
  • Consolidation and export: The filtered and enriched events are written to a single log, which is then sent to a third-party tool specializing in log management, such as SIEM (Security Information and Event Management) or Imperva DSF.
  • Leveraging third-party tools (such as SIEM and SOAR systems): With the logs in a dedicated log management tool, users can perform various actions and gain insights, such as creating alerts, searching activity feeds for files or users, and analyzing trends related to file modifications, deletions, access, downloads, and share link creation.

Use Cases for Enhanced File Activity Monitoring

The integration of MS Purview audit trails opens up several valuable use cases, providing users with greater control and awareness of file activities. Here are some examples:

  • Risk notification: Users can receive risk notifications for specific files and sensitive file groups. Leveraging Smart Labels, users can create alerts for groups of sensitive files that may face an increased risk of exposure. This scalable approach enables users to stay informed and take proactive measures to mitigate risks. The notifications can be conveniently delivered through a SIEM system of the user's choice.
  • Detection of malicious behavior: Users can be alerted when suspicious activities, such as unauthorized access, file modifications, deletions, or downloads, are detected.
  • Trend analysis: By analyzing file activity over the past 90 days, users can identify trends related to file modifications, deletions, access, and downloads. The analysis can be performed based on file sensitivity, providing deeper insights into data handling practices.

Future Developments

Looking ahead, we will be bringing more and more of the reporting and dashboarding functionality directly into the Data X-Ray itself. This integration would offer users a more seamless experience within the tool instead of relying on generalized SIEM dashboarding. However, the configuration of the alerting system may remain external, allowing users to leverage the flexibility of external systems.


By recognizing the limitations of MS Purview audit trails and developing a robust solution, we have empowered users with enhanced file activity monitoring capabilities.

Through integration with a third-party log management tool, users can create alerts, analyze trends, and gain valuable insights into file usage and sensitivity. The ongoing development of additional use cases and future integration within MS Purview's interface ensures a continuous improvement of the monitoring feature.

With our solution, organizations can proactively safeguard their data, mitigate risks, and make informed decisions based on comprehensive file activity analysis.

If you have any questions or need any information, feel free to connect with us.

Subscribe to our newsletter

Subscribe now