John White on 19 Mar 2024 19:30:24
Currently there is a tremendous amount of value in the M365 Audit log, but it is extremely difficult to access. Retention is low for API access and other methods are batch oriented at best. Apart from some work in Sentinel, there are no ways to react to events in near real time. This seems like an obvious data source for the RTA workload in Fabric. Kusto could allow for as much retention as desired, and streaming would allow for reactions in near real time.