What level of M365/EntraID/Azure auditing is needed to unequivocally determine user activity
My company has an Entra ID P1 license. We have a couple hundred M365 Business Premium users and a handful of E5 users. We've learned some of the auditing is vague at best. Recently, while investigating user activity through the Unified Audit Portal in MS Defender, we found a lot of SharePoint FileAccessed and FilePreviewed actions for a user who should not have access to those artifacts. Digging much deeper we learned the user never actually accessed any of those files and that those events were triggered by browser prefetching and page loading. The Microsoft Audit Log Activities documentation, https://video2.skills-academy.com/en-us/purview/audit-log-activities#frequently-asked-questions-about-fileaccessed-and-filepreviewed-events, says:
Are there scenarios where a user previewing a document generates FileAccessed events? Both the FilePreviewed and FileAccessed events indicate that a user's call led to a read of the file (or a read of a thumbnail rendering of the file). While these events are intended to align with preview vs. access intention, the event distinction isn't a guarantee of the user's intent.
Essentially, the FilePreviewed and FileAccessed events are not positive indicators of definitive user activity. Are there other audit options in the Microsoft ecosystem that can be used to positively determine definitive user activity??
Thank you for your time.
edit: grammar