Table of Contents
Standard Stream Audit Events and Advanced Events
In yesterday’s article about updates for the Stream browser app, I noted the slippage in the advertised delivery dates for some of the features. At least, the updates haven’t yet arrived in my tenant or the other tenants I have administrative access to. Delays happen in software development. Losing a few days here and there is part of software life.
The same applies to message center notification MC686916 (3 November 2023), which predicted the availability of five advanced Stream audit events to tenants with Microsoft Purview Audit standard (essentially, Office 365 E3 and above) by the end of November. The same dates appear in Microsoft 365 roadmap item 180738.
Improving Audit Availability for Purview Standard Customers
Making advanced audit events available to more tenants is part of Microsoft’s initiative to increase access to Purview audit data announced in July 2023 following government criticism that too much audit data required premium access. The follow up note of October 18 details the changes Microsoft plans to make, including extending the retention period of audit events from 90 to 180 days for Purview Audit standard customers. Unfortunately, Microsoft has been slow to make the changes with the MailItemsAccessed event due to reach tenants in June 2024.
The advanced audit Stream events are:
- StreamInvokeGetTranscript
- StreamInvokeChannelView
- StreamInvokeGetTextTrack
- StreamInvokeGetVideo
- StreamInvokeGroupView
No good explanation exists online about the circumstances that cause the generation of these events. When I find out, I’ll update this post.
Apparently, the events should be generated by tenant activity now, but I don’t see any trace of them. Perhaps I’m not taking the necessary actions to provoke the creation of the advanced events, like fetching a transcript.
Stream Standard Audit Events
In any case, Stream Classic uses Azure storage to hold its videos and generates a dedicated set of audit events. The existence of dedicated events makes it much easier to query the unified audit log to discover information about who’s doing what with videos. Because the new Stream is based on SharePoint Online, audit events for actions like the creation of a new video show up just like the creation of a new Word document or Excel spreadsheet. Thus, you end up looking for:
- FileUploaded: A user uploads a video to Stream that’s stored in either SharePoint Online (for instance, if uploaded to a Teams channel) or OneDrive for Business. Teams meeting recordings are perhaps the most common example of Stream uploads (this article describes how to extract audit information for Teams recordings).
- FileModified: A user modifies an item stored in SharePoint Online or OneDrive for Business. An example of a Stream file modification is when a video owner updates the settings for a video, like adding a description.
You could also include FileAccessed, which is the event logged when a user accesses a file stored in SharePoint Online. Each time someone views a Stream video, SharePoint Online logs a FileAccessed event.
A Small Part of the Changeover to the New Stream
The change in storage platform means that any script that fetches and analyzes Stream audit events must be updated. Older scripts use the Search-UnifiedAuditLog cmdlet (Graph access to audit events is coming), so you need to check the code to make sure that the search finds the correct events and respects the unannounced and so far unexplained change introduced by Microsoft in September 2023 by including the SessionCommand parameter.
Because the Stream data are amidst a mass of other SharePoint Online document events (in particular, most tenants generate many FileAccessed and FileModified events daily), some work is necessary to extract the Stream events. The best method I’ve come up with is to look for events relating to files with .mp4 and .wbem extensions. The latter is the extension for videos generated by users using the Stream camera and screen recording options. I’ve created a script to show how, which you can download from GitHub. Figure 1 shows the output.
Some Stream-specific events are available such as actions logged for transcript creation, deletion, and access. This code finds those audit records
$Operations = "FileTranscriptContentAccessed", "FileTranscriptCreated", "FileTranscriptDeleted" [array]$Records = (Search-UnifiedAuditLog -Operations $Operations -StartDate $StartDate -EndDate $EndDate -Formatted -ResultSize 5000 -SessionCommand ReturnLargeSet)
Have fun with the final stage of the transition to Stream on SharePoint!
Make sure that you’re not surprised about changes that appear inside Office 365 applications by subscribing to the Office 365 for IT Pros eBook. Our monthly updates make sure that our subscribers stay informed.
One Reply to “Interpreting Audit Events for the New Stream”