Next you need to create your forensic evidence policies. In the Purview portal, go to “Forensic evidence policies” and select “Create forensic evidence policy.” Specify which activities to capture, such as printing, file exfiltration, specific apps or websites, or all activities for selected users. “All activities” is not a typical setting and is used only for a set period during an investigation. You can also use Microsoft 365 Defender’s Advanced Hunting and Activity Log features for additional forensic analysis.
Susan Bradley / CSO
Caveats and limitations
Even with these settings, there can be times that you are at the mercy of the vendor. Forensic examinations of cloud assets can be complicated. Tracking through your log files to review what OAuth authentication was abused often takes expert review of these log files. In additional you don’t get memory dumps or full control like you do on endpoints. You often must open a support ticket with your vendor to request log files, thereby delaying your investigation and response.
There are also budget limitations to be aware of. For example, you may need to purchase additional storage to store the forensic evidence you wish to capture.
