Microsoft's Purview portal has a feature named Audit that permits access to critical audit log event data to gain insight and further investigate user activities. This can be used to investigate activity from a range of Microsoft services, such as SharePoint, OneDrive, and Outlook. Searches can be scoped to a specific timeframe, user account, and platform using the extensive filters available.

Sections

ID	Name	Description
IF021	Harassment and Discrimination	A subject engages in unauthorized conduct that amounts to harassment or discriminatory behavior within the workplace, targeting individuals or groups based on protected characteristics, such as race, gender, religion, or other personal attributes. Incidents of harassment and discrimination may expose the organization to legal risks, potential reputational damage, and regulatory penalties. Additionally, individuals affected by such behavior may be at higher risk of retaliating or disengaging from their work, potentially leading to further insider risks.
ME023	Intellectual Property Theft	A subject shares or exploits proprietary information, trade secrets, creative works, or ideas obtained through their time with an organization.
IF011.003	Providing Unauthorized Access to a Collaboration Platform	The subject provides unauthorized party access to a collaboration platform, such as Slack, Teams, or Confluence that exposes them to information they are not permitted to access. This can be achieved by adding an existing organizational account, or a guest account.
PR004.002	Collaboration Platform Exploration	A subject may search for or otherwise explore files on a Collaboration Platform (such as SharePoint, OneDrive, Confluence, etc) to identify sensitive or valuable information.
PR020.002	Modification of Sensitivity Labels	The subject modifies or downgrades the sensitivity label of a file in an attempt to bypass DLP or other security controls.

References