Unified Audit Log (UAL)

m365-azureIdentity & DirectoryCloud Admin PortalSIEM / Log Aggregator

Location

Microsoft Purview > Audit > Search (or Search-UnifiedAuditLog cmdlet)

Description

Centralized audit log aggregating events across Exchange Online, SharePoint, OneDrive, Teams, Azure AD, Power Platform, and other M365 services. Records user and admin activity with timestamps, IP addresses, user agents, and operation details.

Forensic Value

The UAL is the single most important artifact for M365 investigations. It captures mailbox access, file downloads, sharing changes, admin role assignments, and OAuth app consents in one searchable location. Correlating ClientIP and UserAgent across operations reveals session hijacking -- when the same session token appears from two different geolocations, a token theft is confirmed. Retention is 90 days (E3) or 365 days (E5).

Tools Required

Microsoft Purview Compliance PortalPowerShell (Search-UnifiedAuditLog)HawkSparrow

Related Blockers

M365/Azure Logs Past Retention Period

Unified Audit Log (UAL) entries in Microsoft 365 or Azure AD sign-in logs have expired beyond the default 90-day (E3) or 180-day (E5) retention window. Historical evidence of initial access, mailbox abuse, or OAuth consent grants is no longer available in the tenant.

Suspected Insider Still Has Access -- Investigation Must Be Covert

The primary suspect is a current employee or contractor who still has active credentials and system access. Overt containment actions (account lockout, visible monitoring) would tip off the suspect and risk evidence destruction or acceleration of harmful activity.

Shared Cloud Environment Complicates Isolation

The compromised workload runs in a multi-tenant cloud environment (shared subscription, Kubernetes cluster, or PaaS) where isolation actions may impact other tenants or business-critical services sharing the same infrastructure.

Regulatory Notification Deadline Approaching

A regulatory reporting deadline (GDPR 72-hour, SEC 4-day, state breach notification, HIPAA) is imminent and the investigation has not yet determined the full scope of data exposure. The team must balance thorough investigation against mandatory disclosure timelines.