Review activities with the Insider Risk Management audit log

The Insider Risk Management audit log helps you stay informed about actions taken on Insider Risk Management features. This log makes it possible to independently review the actions of users assigned to one or more Insider Risk Management role groups. Your organization automatically enables the Insider Risk Management audit log and you can't disable it.

The audit log automatically and immediately updates whenever it detects identified risk activities. The audit log keeps information for 180 days (about six months). After 180 days, the log permanently deletes data.

Areas in identified risk activity detection include:

• Policies
• Cases
• Alerts
• Settings
• Users
• Notice templates

To view and export data from the audit log, assign users to the Insider Risk Management or Insider Risk Management Auditors role groups. For more information about Insider Risk Management role groups, see Assign Insider Risk Management permissions.

View activity in the insider risk audit log

To view feature activity detected for Insider Risk Management, go to the Insider risk audit log link in the top-right area of any Insider Risk Management tab. By default, you see the following information displayed for Insider Risk Management activities:

• Activity: A description of the identified risk activity taken within the Insider Risk Management solution by a user.
• Category: The area or item where the identified risk activity was performed. For example, you see Policies as the category when policy change activities were performed.
• Activity performed by: The user name of the user that performed the identified risk activity.
• Date: The date and time the identified risk activity was performed. The date and time are the local date and time for your organization.

For more information about a logged activity, select the activity to display the activity details pane. This pane includes additional information about the identified risk activity.

Columns and filtering

To make it easier for auditors to review audit logs, filtering is supported in the Insider risk audit log. For basic filtering, queue columns are available to add to the view to provide different pivots on the files and messages. You can filter identified risk activities by the Category, Date range, and Activity performed by fields.

To add or remove column headings for the queue, use the Customize columns control and select from the column options. These columns map to common conditions supported in the Insider risk audit log and are listed later in this article.

Audit log export

Users assigned to the Insider Risk Management or Insider Risk Management Auditors role groups can export audit log activity to a .csv (comma-separated values) file by selecting Export on the Insider risk audit log page. Depending on the audit log activity, some fields might not be included in the filtered queue, and those fields appear as blank in the exported file.

The file contains audit log activity information for the following fields:

• Activity performed by: Name of the user modifying an item value. Users listed here are assigned to one or more of the following Insider Risk Management role groups: Insider Risk Management, Insider Risk Management Admins, Insider Risk Management Analysts, Insider Risk Management Investigators. Each role group has different permission levels for managing insider risk features.
• Activity: Type of activity taken on an item. Values are Viewed, Deleted, Added, Edited policy, Case, User, Alert, and Settings.
• Added: Objects you add during the identified risk activity, such as users, file types, or domains.
• Alert volume: Level of alert volume defined in Insider Risk Management settings.
• Amount: Currently selected custom indicator amounts for a policy.
• Asset ID: Asset ID of the priority physical asset the activity was performed on.
• Category: Category of the item modified. Values are Policies, Cases, Users, Alerts, Settings, and Notice templates.
• Date: Date and time, listed in your organization's local date and time.
• Description: Description input by the user for the object being acted on (such as a policy or a priority user group).
• DLP policy: The Microsoft Purview Data Loss Prevention (DLP) policy selected to trigger inclusion in an Insider Risk Management policy.
• Indicator: Indicator in the within insider risk settings that the activity was performed on (such as adding or removing an indicator).
• Notice template: Notice template that the identified risk activity was performed on.
• Number of days: Policy activation window defined in insider risk settings.
• Number of files: File volume limit defined in Insider Risk Management settings.
• Policy template: Policy template that the indicators acted on belongs to.
• Previous amount: Previously selected custom indicator amounts for a policy.
• Priority user group: Priority user group the identified risk activity was performed on.
• Removed: Objects you remove during the identified risk activity, such as users, file types, or domains.
• Sender: Sender field of the notice template the identified risk activity was performed on.
• Target policy: The policy the identified risk activity was performed on (such as adding a user to or removing a user from).
• Template message body: The message body of the notice template the identified risk activity was performed on.
• Template subject: The subject field of the notice template the identified risk activity was performed on.
• User: User the identified risk activity was performed on.