Unified Audit Log (UAL)

m365-azureIdentity & DirectoryCloud Admin PortalSIEM / Log Aggregator

Location

Microsoft Purview > Audit > Search (or Search-UnifiedAuditLog cmdlet)

Description

Centralized audit log aggregating events across Exchange Online, SharePoint, OneDrive, Teams, Azure AD, Power Platform, and other M365 services. Records user and admin activity with timestamps, IP addresses, user agents, and operation details.

Forensic Value

The UAL is the single most important artifact for M365 investigations. It captures mailbox access, file downloads, sharing changes, admin role assignments, and OAuth app consents in one searchable location. Correlating ClientIP and UserAgent across operations reveals session hijacking -- when the same session token appears from two different geolocations, a token theft is confirmed. Retention is 90 days (E3) or 365 days (E5).

Tools Required

Microsoft Purview Compliance PortalPowerShell (Search-UnifiedAuditLog)HawkSparrow

Related Blockers