Next, you need to develop a forensic evidence policy. In the Purview portal, go to Forensic Evidence Policy and select “Develop Forensic Evidence Policy.” Specify activities to capture, such as printing, file flaking, specific applications or websites, or all activities provided for selected users. “All activities” are not typical environments and are only used for the set period during the survey. You can also use Microsoft 365 Defender’s advanced hunting and activity logging capabilities for other forensic analyses.
Susan Bradley / CSO
Warnings and limitations
Even with these settings, you may sometimes be at the mercy of your suppliers. Forensic examinations at Cloud Assets can be complicated. Tracking through log file to see what abuses OAuth authentication often involves expert review of these log files. Also, you won’t get memory dumps or full control like you would on the endpoint. You usually have to open a support ticket with your vendor to request a log file, thus delaying your investigation and response.
Budget limitations also need to be paid attention to. For example, you may need to purchase additional storage space to store the forensic evidence you wish to capture.
