M365 Auditing Changes and Enhancements, Part 2

[schrolla]

💡 Summary

The M365 unified audit log capability tracks actions taken across many of the M365 services. The log types supported depend on services in use, tenant licensing, and licenses applied to individual users. This epic is built around using identified changes to audit policies from previous work to update baseline auditing policies and associated code assessment checks, where feasible.

Motivation and context

Auditing is a critical component for monitoring SaaS usage patterns, potential misuse, and detecting threats. Based on the expanded availability of several log types previously only available to Purview Premium and the publication of the Microsoft Expanded Cloud Logs Implementation Playbook, SCuBA baselines should be reviewed and updated to keep pace with these service updates and latest guidance.

Implementation notes

Implementing auditing policy and assessment check enhancements will include:

• Review previously identified baseline policy recommendations and integrate into all relevant existing baselines
• Updating assessment checks to align with policy updates and adding new checks

Acceptance criteria

The following issues are completed

• [ ] Purview premium assessment check successfully implemented #88
• [ ] Baseline audit policies updated to address latest service updates and guidance

[schrolla]

Need to further refine. May split into multiple epics.