Get started with activity explorer

Activity explorer lets you monitor what's being done with your labeled content. Activity explorer provides a historical view of activities on your labeled content. The activity information comes from the Microsoft 365 unified audit logs. It's transformed and then made available in the activity explorer UI. Activity explorer reports on up to 30 days worth of data.

Activity explorer gives you multiple ways to sort and view the data.

Filters

Filters are the building blocks of activity explorer. Each filter focuses on a different dimension of the collected data. You can use about 50 different individual filters, including:

• Date range
• Activity type
• Location
• Sensitivity label
• User
• Client IP
• Device name
• Is protected

To see all the filters, open the filter pane in activity explorer and look at the dropdown list.

Filter sets

Activity explorer comes with predefined sets of filters to help save time when you want to focus on a specific activity. Use filter sets to quickly provide you with a view of higher level activities than individual filters do. Some of the predefined filter sets are:

• Endpoint DLP activities
• Sensitivity labels applied, changed, or removed
• Egress activities
• DLP policies that detected activities
• Network DLP activities
• Protected Browser

You can also create and save your own filter sets by combining individual filters.

Microsoft Security Copilot in activity explorer (preview)

In preview, Microsoft Security Copilot in Microsoft Purview is embedded in activity explorer. It can help efficiently drill down into Activity data and help you identify activities, files with sensitive info, users, and other details that are relevant to an investigation.

Data hunting

Security Copilot skills use all the data available to Microsoft Purview, filters, and filter sets available in activity explorer and use machine learning to provide you with insights into the activity (sometimes referred to as data hunting) on your data that is most important to you.

• Show me the top 5 activities from the past week
• Filter and investigate activities
• Find files used in specific activities

Selecting a prompt automatically opens the Security Copilot side card and shows you the results of the query. You can then further refine the query.

Natural language to filter set generation

Use the prompt box to enter complex natural language queries to generate filter sets. For example, you can enter:

Filter and investigate files copied to cloud with sensitive info type credit card number for past 30 days.

Security Copilot generates a filter set for your query. Review the filter to make sure it fits your needs, then apply it to the data.

Prerequisites

SKU/subscriptions licensing

For information on licensing, see

• Microsoft 365 Enterprise Plans
• Microsoft 365 Service Descriptions

Permissions

An account must be explicitly assigned membership in any one of these role groups, or must be explicitly granted the role.

Roles and role groups

Use roles and role groups to fine-tune your access controls. For more information, see Permissions in the Microsoft Purview portal.

Microsoft Purview roles

• Information Protection Admin
• Information Protection Analyst
• Information Protection Investigator
• Information Protection Reader

Microsoft Purview role groups

• Information Protection
• Information Protection Admins
• Information Protection Investigators
• Information Protection Analysts
• Information Protection Readers

Microsoft 365 roles

• Compliance Admins
• Security Admins
• Compliance Data Admins

Microsoft 365 role groups

• Compliance Administrator
• Security Administrator
• Security Reader

Activity types

Activity explorer gathers information from the audit logs of multiple sources of activities.

Some examples of the Sensitivity label activities and Retention labeling activities from applications native to Microsoft Office, the Microsoft Purview Information Protection client and scanner, SharePoint, Exchange (sensitivity labels only), and OneDrive include:

• Label applied
• Label changed (upgraded, downgraded, or removed)
• Auto-labeling simulation
• File read

For the current list of activities listed in Activity explorer, go into Activity explorer and open the activity filter. The list of activities is available in the dropdown list.

Labeling activity specific to the Microsoft Purview Information Protection client and scanner that comes into Activity explorer includes:

• Protection applied
• Protection changed
• Protection removed
• Files discovered

For more detailed information on what labeling activity makes it into Activity explorer, see Labeling events available in Activity explorer.

In addition, by using Endpoint data loss prevention (DLP), Activity explorer gathers DLP policy matches events from Exchange, SharePoint, OneDrive, Teams Chat and Channel, on-premises SharePoint folders and libraries, on-premises file shares, and devices running Windows 10, Windows 11, and any of the three most recent major macOS versions. Some example events gathered from Windows 10 devices include the following actions taken on files:

• Deletion
• Creation
• Copy to clipboard
• Modify
• Read
• Print
• Rename
• Copy to network share
• Access by an unallowed app

Understanding the actions that are taken on content with sensitivity labels helps you determine whether the controls that you have in place, such as Microsoft Purview Data Loss Prevention policies, are effective. If not, or if you discover something unexpected (such as a large number of items labeled highly confidential that are downgraded to general), you can manage your policies and take new actions to restrict the undesired behavior.

Activity type events and alerts

This table shows the events that Activity Explorer triggers for three sample policy configurations. The events depend on whether a policy match is detected.

See also

• Learn about sensitivity labels
• Learn about retention policies and retention labels
• Learn about sensitive information types