Activity explorer allows you to monitor what's being done with your labeled content. Activity explorer provides a historical view of activities on your labeled content. The activity information is collected from the Microsoft 365 unified audit logs, transformed, and then made available in activity explorer UI. Activity explorer reports on up to 30 days worth of data.
Activity explorer gives you multiple ways to sort and view the data.
Filters
Filters are the building blocks of activity explorer, each focusing on a different dimension of the collected data. There are about 50 different individual filters available for use, some are:
Date range
Activity type
Location
Sensitivity label
User
Client IP
Device name
Is protected
To see them all, open the filter pane in activity explorer and look at the dropdown list.
Märkus
Filter options are generated based on the first 500 records to ensure optimal performance. This may result in some values not being displayed in the filter dropdown.
Filter sets
Activity explorer comes with predefined sets of filters to help save time when you want to focus on a specific activity. Use filter sets to quickly provide you with a view of higher level activities than individual filters do. Some of the predefined filter sets are:
Endpoint DLP activities
Sensitivity labelds applied, changed, or removed
Egress activities
DLP policies that detected activities
Network DLP activities
Protected Browser
You can also create and save your own filter sets by combining individual filters.
Security Copilot in activity explorer (preview)
In preview, Microsoft Security Copilot in Microsoft Purview is embedded in activity explorer. It can help efficiently drilldown into Activity data and help you identify activities, files with sensitive info, users, and additional details that are relevant to an investigation.
Oluline
Be sure to check the responses from Security Copilot for accuracy and completeness before taking any action based on the information provided. You can provide feedback to help improve the accuracy of the responses.
Data hunting
Security Copilot skills use of all the data available to Microsoft Purview, filters and filter sets available in activity explorer and uses machine learning to provide you with insights into the activity (sometimes referred to as data hunting) on your data that is most important to you.
Show me the top 5 activities from the past week
Filter and investigate activities
Find files used in specific activities
Selecting a prompt will automatically open the Security Copilot side card and show you the results of the query. You can then further refine the query.
Natural language to filter set generation
You can use the prompt box to enter complex natural language queries to generate filter sets. For example, you can enter:
'Filter and investigate files copied to cloud with sensitive info type credit card number for past 30 days.'
Security Copilot will generate a filter set for your query. You should then review the filter to make sure it's what you want and then you can apply it to the data.
Näpunäide
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.
Activity explorer gathers information from the audit logs of multiple sources of activities.
Some examples of the Sensitivity label activities and Retention labeling activities from applications native to Microsoft Office, the Microsoft Information Protection client and scanner, SharePoint, Exchange (sensitivity labels only), and OneDrive include:
Label applied
Label changed (upgraded, downgraded, or removed)
Autolabeling simulation
File read
For the current list of activities listed in Activity explorer, go into Activity explorer and open the acitivity filter. The list of activities is available in the dropdown list.
Labeling activity specific to the Microsoft Information Protection client and scanner that comes into Activity explorer includes:
In addition, using Endpoint data loss prevention (DLP), activity explorer gathers DLP policy matches events from Exchange, SharePoint, OneDrive, Teams Chat and Channel, on-premises SharePoint folders and libraries, on-premises file shares, and devices running Windows 10, Windows 11, and any of the three most recent major macOS versions. Some example events gathered from Windows 10 devices include the following actions taken on files:
Deletion
Creation
Copy to clipboard
Modify
Read
Print
Rename
Copy to network share
Access by an unallowed app
Understanding the actions that are taken on content with sensitivity labels helps you determine whether the controls that you have in place, such as Microsoft Purview Data Loss Prevention policies, are effective. If not, or if you discover something unexpected (such as a large number of items labeled highly confidential that are downgraded to general), you can manage your policies and take new actions to restrict the undesired behavior.
Märkus
Activity explorer doesn't currently monitor retention activities for Exchange.
Märkus
In case the Teams DLP verdict is reported as false positive by the user, the activity will be showing as DLP infoin the list on activity explorer. The entry will not have any rule and policy match details present but will show synthetic values. There will also be no incident report generated for false positive reporting.
Activity type events and alerts
This table lays out the events that are triggered in Activity Explorer for three sample policy configurations, depending on whether or not a policy match is detected.
Policy configuration
Activity Explorer event triggered for this action type
Activity Explorer event triggered when a DLP rule is matched
Activity Explorer alert triggered
Policy contains a single rule allowing the activity without auditing it.
Yes
No
No
Policy contains two rules: Matches for Rule #1 are allowed; policy matches for Rule #2 are audited.
Yes (Rule #2 only)
Yes (Rule #2 only)
Yes (Rule #2 only)
Policy contains two rules: Matches fore both rules are allowed and not audited.
This module examines the data loss prevention features in Microsoft 365 that help organizations identify, monitor, report, and protect sensitive data through deep content analysis while helping users understand and manage data risks.