Next you need to make your forensic evidence policies. In the PurView portal, go to “Forensic Evidence Policies” and choose “Forensic Evidence Policy”. Specify which activities to capture, such as printing, file exfIs, specific apps or websites, or all activities for selected users. “All activities” is not a specific setting and is used only for a fixed period during an investigation. You can also use advanced hunting and activity log features of Microsoft 365 defender for additional forensic analysis.
Susan Bradley / CSO
Caves and limitations
Even with these settings, many times it can happen that you are at the mercy of the seller. Forensic examinations of cloud assets may be complicated. To review the tracking through its log files that the oauth authentication was misused, often a specialist reviews of these log files. In addition you do not get memory dump or complete control like you do at endpoint. You must often open a support ticket with your seller to request log files, which can delay your investigation and response.
There are also budget limitations to be aware of it. For example, you may need to purchase additional storage to store the forensic evidence you want to capture.
