Merge pull request #34152 from MicrosoftDocs/NEW-investigate-threats-using-audit-in-microsoft-365-defender-microsoft-purview-premium

New investigate threats using audit in microsoft 365 defender microsoft purview premium

Author: American-Dipper

learn-pr/wwl-sci/investigate-threats-using-audit-in-microsoft-365-defender-microsoft-purview-premium/1-introduction.yml

@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.investigate-threats-using-audit-in-microsoft-365-defender-microsoft-purview-premium.introduction
+title: Introduction
+metadata:
+  title: Introduction
+  description: "Introduction."
+  ms.date: 3/22/2023
+  author: wwlpublish
+  ms.author: kelawson
+  ms.topic: interactive-tutorial
+  ms.prod: learning-m365
+durationInMinutes: 1
+content: |
+  [!include[](includes/1-introduction.md)]

learn-pr/wwl-sci/investigate-threats-using-audit-in-microsoft-365-defender-microsoft-purview-premium/2-explore-microsoft-purview-audit-premium.yml

@@ -0,0 +1,28 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.investigate-threats-using-audit-in-microsoft-365-defender-microsoft-purview-premium.explore-microsoft-purview-audit-premium
+title: Explore Microsoft Purview Audit (Premium)
+metadata:
+  title: Explore Microsoft Purview Audit (Premium)
+  description: "Explore Microsoft Purview Audit (Premium)."
+  ms.date: 3/22/2023
+  author: wwlpublish
+  ms.author: kelawson
+  ms.topic: interactive-tutorial
+  ms.prod: learning-m365
+durationInMinutes: 10
+content: |
+  [!include[](includes/2-explore-microsoft-purview-audit-premium.md)]
+quiz:
+  title: "Check your knowledge"
+  questions:
+  - content: "Fabrikam has implemented Microsoft Purview Audit (Premium). It now wants to create appropriate 10-year audit log retention policies for the managers of its security and compliance teams. What must Fabrikam do to enable this functionality?"
+    choices:
+    - content: "Configure the 10 year audit log setting in the Microsoft Purview compliance portal"
+      isCorrect: false
+      explanation: "Incorrect. There's no such setting in the Microsoft Purview compliance portal."
+    - content: "Purchase per-user add-on licenses for each manager"
+      isCorrect: true
+      explanation: "Correct. In addition to the one-year retention capabilities of Audit (Premium), Microsoft 365 can optionally retain audit logs for 10 years. The 10-year retention of audit logs helps support long running investigations and respond to regulatory, legal, and internal obligations. Retaining audit logs for 10 years requires an extra per-user add-on license. After this license is assigned to a user and an appropriate 10-year audit log retention policy is set for that user, audit logs covered by that policy will start to be retained for the 10-year period."
+    - content: "Nothing extra is needed since audit logs are retained by default for 10 years when Audit (Premium) is licensed"
+      isCorrect: false
+      explanation: "Incorrect. Audit logs are retained by default for one year in Audit (Premium)."

learn-pr/wwl-sci/investigate-threats-using-audit-in-microsoft-365-defender-microsoft-purview-premium/3-implement-microsoft-purview-audit-premium.yml

@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.investigate-threats-using-audit-in-microsoft-365-defender-microsoft-purview-premium.implement-microsoft-purview-audit-premium
+title: Implement Microsoft Purview Audit (Premium)
+metadata:
+  title: Implement Microsoft Purview Audit (Premium)
+  description: "Implement Microsoft Purview Audit (Premium)."
+  ms.date: 3/22/2023
+  author: wwlpublish
+  ms.author: kelawson
+  ms.topic: interactive-tutorial
+  ms.prod: learning-m365
+durationInMinutes: 3
+content: |
+  [!include[](includes/3-implement-microsoft-purview-audit-premium.md)]

learn-pr/wwl-sci/investigate-threats-using-audit-in-microsoft-365-defender-microsoft-purview-premium/4-manage-audit-log-retention-policies.yml

@@ -0,0 +1,28 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.investigate-threats-using-audit-in-microsoft-365-defender-microsoft-purview-premium.manage-audit-log-retention-policies
+title: Manage audit log retention policies
+metadata:
+  title: Manage audit log retention policies
+  description: "Manage audit log retention policies."
+  ms.date: 3/22/2023
+  author: wwlpublish
+  ms.author: kelawson
+  ms.topic: interactive-tutorial
+  ms.prod: learning-m365
+durationInMinutes: 10
+content: |
+  [!include[](includes/4-manage-audit-log-retention-policies.md)]
+quiz:
+  title: "Check your knowledge"
+  questions:
+  - content: "Contoso has implemented Microsoft Purview Audit (Premium). How long does Contoso's default audit log retention policy retain Exchange Online audit records?"
+    choices:
+    - content: "90 days"
+      isCorrect: false
+      explanation: "Incorrect. If an organization has non-E5 users or guest users, their corresponding audit records are retained for 90 days. However, this value isn't the retention period for the default audit log retention policy."
+    - content: "One year"
+      isCorrect: true
+      explanation: "Correct. Microsoft Purview Audit (Premium) provides a default audit log retention policy for all organizations. This policy retains all Exchange Online, SharePoint Online, OneDrive for Business, and Azure Active Directory audit records for one year."
+    - content: "Ten years"
+      isCorrect: false
+      explanation: "Incorrect. An organization can create a custom audit log retention policy that retains Exchange Online audit records for 10 years. However, this value isn't the retention period for the default audit log retention policy."

learn-pr/wwl-sci/investigate-threats-using-audit-in-microsoft-365-defender-microsoft-purview-premium/5-investigate-compromised-email-accounts.yml

@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.investigate-threats-using-audit-in-microsoft-365-defender-microsoft-purview-premium.investigate-compromised-email-accounts
+title: Investigate compromised email accounts using Purview Audit (Premium)
+metadata:
+  title: Investigate compromised email accounts using Purview Audit (Premium)
+  description: "Investigate compromised email accounts using Purview Audit (Premium)."
+  ms.date: 3/22/2023
+  author: wwlpublish
+  ms.author: kelawson
+  ms.topic: interactive-tutorial
+  ms.prod: learning-m365
+durationInMinutes: 15
+content: |
+  [!include[](includes/5-investigate-compromised-email-accounts.md)]

learn-pr/wwl-sci/investigate-threats-using-audit-in-microsoft-365-defender-microsoft-purview-premium/6-knowledge-check.yml

@@ -0,0 +1,50 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.investigate-threats-using-audit-in-microsoft-365-defender-microsoft-purview-premium.knowledge-check
+title: Knowledge check
+metadata:
+  title: Knowledge check
+  description: "Knowledge check."
+  ms.date: 3/22/2023
+  author: wwlpublish
+  ms.author: kelawson
+  ms.topic: interactive-tutorial
+  ms.prod: learning-m365
+durationInMinutes: 6
+content: |
+  [!include[](includes/6-knowledge-check.md)]
+quiz:
+  title: "Check your knowledge"
+  questions:
+  - content: "To help organizations investigate compromised email accounts, Microsoft 365 audits access to mail data by mail protocols and clients. What mailbox-auditing action does Microsoft 365 use in Audit (Premium) to provide this functionality?"
+    choices:
+    - content: "MailItemsAccessed"
+      isCorrect: true
+      explanation: "Correct. To help organizations investigate compromised email accounts, Microsoft 365 audits access to mail data by mail protocols and clients. It does so by using the MailItemsAccessed mailbox-auditing action. This audited action can help investigators better understand email data breaches and identify the scope of compromises to specific mail items that may have been compromised."
+    - content: "AuditExchangeMail"
+      isCorrect: false
+      explanation: "Incorrect. This item isn't a valid mailbox-auditing action."
+    - content: "ExchangeMailActivity"
+      isCorrect: false
+      explanation: "Incorrect. This item isn't a valid mailbox-auditing action."
+  - content: "Audit (Premium) helps organizations conduct forensic and compliance investigations by providing access to important events. Which of the following prerequisites must be completed so that audit logs will be generated when users perform these events?"
+    choices:
+    - content: "An extra add-on license must be purchased per user"
+      isCorrect: false
+      explanation: "Incorrect. Retaining audit logs for 10 years requires an extra per-user add-on license. However, such a license isn't required so that audit logs will be generated when users perform audited events."
+    - content: "Users must be assigned an Audit (Premium) license"
+      isCorrect: true
+      explanation: "Correct. Users must be assigned an Audit (Premium) license so that audit logs will be generated when users perform these important, audited events."
+    - content: "The MailItemsAccessed action must be enabled"
+      isCorrect: false
+      explanation: "Incorrect. This action doesn't require enabling."
+  - content: "Tailspin Toys has implemented Microsoft Purview Audit (Premium). It set up Audit (Premium) for its users. It's now enabling Audit (Premium) events to be logged. Which of the following items is an Audit (Premium) event that Tailspin Toys must enable?"
+    choices:
+    - content: "ExchangeQueryInitiated"
+      isCorrect: false
+      explanation: "Incorrect. This item isn't an Audit (Premium) event that must be enabled."
+    - content: "SearchQueryInitiatedSharePoint"
+      isCorrect: true
+      explanation: "Correct. You must enable the following Audit (Premium) events to be logged so that users can perform searches in Exchange Online and SharePoint Online: SearchQueryInitiatedExchange andSearchQueryInitiatedSharePoint."
+    - content: "InitiateOneDriveQuery"
+      isCorrect: false
+      explanation: "Incorrect. This item isn't an Audit (Premium) event that must be enabled."

learn-pr/wwl-sci/investigate-threats-using-audit-in-microsoft-365-defender-microsoft-purview-premium/7-summary.yml

@@ -0,0 +1,14 @@
+### YamlMime:ModuleUnit
+uid: learn.wwl.investigate-threats-using-audit-in-microsoft-365-defender-microsoft-purview-premium.summary
+title: Summary
+metadata:
+  title: Summary
+  description: "Summary."
+  ms.date: 3/22/2023
+  author: wwlpublish
+  ms.author: kelawson
+  ms.topic: interactive-tutorial
+  ms.prod: learning-m365
+durationInMinutes: 1
+content: |
+  [!include[](includes/7-summary.md)]

learn-pr/wwl-sci/investigate-threats-using-audit-in-microsoft-365-defender-microsoft-purview-premium/includes/1-introduction.md

@@ -0,0 +1,29 @@
+## Introduction to threat investigation with Microsoft Purview Audit (Premium)
+
+You're a Security Operations Analyst working at a company that is implementing Microsoft Purview and Microsoft 365 Defender solutions.  You have already implemented Microsoft Purview Audit (Standard) and used it to search the Unified Audit Log (UAL). Now you need to understand how to setup and implement Microsoft Purview Audit (Premium). Your manager has asked you to create audit log retention policies and to conduct forensic investigations.
+
+This module explores the key functionality in Microsoft Purview Audit (Premium). Audit (Premium) builds on the capabilities of Audit (Standard). It does so by providing audit log retention policies, longer retention of audit records, high-value crucial events, and higher bandwidth access to the Office 365 Management Activity API.
+
+The module begins by examining the setup requirements for Audit (Premium). Setup is basically a matter of maintaining proper organization subscriptions and user licensing. You'll then review the primary differences between Audit (Standard) and Audit (Premium). One of the key features of Audit (Premium) is that it can help organizations conduct forensic and compliance investigations by providing access to important events, such as:
+
+- when mail items were accessed.
+- when mail items were replied to and forwarded.
+- when and what a user searched for in Exchange Online and SharePoint Online.
+
+These events can help organizations investigate possible breaches and determine the scope of compromise.
+
+The module then examines how to implement Audit (Premium). You'll review the following steps that make up this workflow:
+
+1. Set up Audit (Premium) for users.
+1. Enable logging of crucial events.
+1. Create audit log retention policies.
+1. Perform forensic investigations.
+
+The module then focuses on the final two activities in this workflow - setting up audit log retention policies and performing investigations of compromised accounts.
+
+After completing this module, you'll be able to:
+
+- Describe the differences between Audit (Standard) and Audit (Premium).
+- Set up and implement Microsoft Purview Audit (Premium).
+- Create audit log retention policies.
+- Perform forensic investigations of compromised user accounts.