M365 Unified Audit Log Collection

CollectionP290 min

🔒 Ransomware 🎣 Phishing 📤 Data Exfiltration 👤 Insider Threat 🌐 Web Application Compromise ☁️ Cloud & Identity Compromise 📧 Business Email Compromise 🔑 Credential Theft

IR AnalystSwitch roles in the top navigation to see different perspectives.

Collect and analyze the Microsoft 365 Unified Audit Log (UAL) for the investigation window. The UAL captures user and admin activity across Exchange Online, SharePoint, OneDrive, Teams, Azure AD, and other M365 services.

Actions

1.Export the UAL using PowerShell for the investigation window. Note the 5000-record per query limit: `$results = Search-UnifiedAuditLog -StartDate "T_START" -EndDate "T_END" -ResultSize 5000 -SessionCommand ReturnLargeSet`. Page through all results and export to JSON for parsing.
2.Use the CISA Sparrow tool or CrowdStrike CRT (Cloud Response Tool) for automated collection: `sparrow.ps1` performs bulk UAL export, Azure AD analysis, and inbox rule enumeration.
3.Export Azure AD sign-in logs (requires P1/P2): `Get-MgAuditLogSignIn -Filter "createdDateTime ge T_START" -All | Export-Csv signins.csv`. Also export `Get-MgAuditLogDirectoryAudit` for admin activity.
4.Check for eDiscovery content searches or compliance searches created by the attacker: `Get-ComplianceSearch | Select Name, CreatedBy, CreatedTime, ContentMatchQuery` -- attackers use these to bulk-export mailbox data.
5.Export mailbox audit logs for targeted mailboxes: `Search-MailboxAuditLog -Identity compromised_user -LogonTypes Delegate,Admin,Owner -StartDate T_START -EndDate T_END -ShowDetails | Export-Csv mailbox_audit.csv`.

Queries

CloudAppEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where AccountObjectId == "<user_object_id>" | where ActionType in ("MailItemsAccessed","Send","SearchQueryInitiatedExchange","SearchQueryInitiatedSharePoint","FileDownloaded","FileUploaded","Set-Mailbox","New-InboxRule","Set-InboxRule","Add-MailboxPermission") | project Timestamp, ActionType, AccountDisplayName, IPAddress, RawEventData | order by Timestamp asc

AuditLogs | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where Category in ("ApplicationManagement","UserManagement","Policy","RoleManagement") | where Result == "success" | project TimeGenerated, OperationName, InitiatedBy, TargetResources, AdditionalDetails | order by TimeGenerated desc

OfficeActivity | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where Operation in ("New-InboxRule","Set-InboxRule","UpdateInboxRules","Add-MailboxPermission","AddFolderPermissions","Set-OwaMailboxPolicy","New-ManagementRoleAssignment") | project TimeGenerated, UserId, Operation, Parameters, ClientIP | order by TimeGenerated asc

Notes

The UAL has a 90-day retention window for E3 licenses and 1 year for E5. If the investigation window exceeds retention, check if Sentinel or a third-party SIEM has a copy.
MailItemsAccessed audit records (E5/Advanced Audit required) are the gold standard for proving whether specific emails or attachments were actually read by the attacker.

Where to Go Next

UAL shows lateral movement to other accounts

Lock down additional compromised accounts

Account Lockdown

UAL shows data exfiltration indicators

Map full scope of attacker movement

Lateral Movement

Need corroborating endpoint evidence

Collect EDR telemetry for corroboration

EDR Collection

Related Artifacts

Unified Audit Log (UAL)

Microsoft Purview > Audit > Search (or Search-UnifiedAuditLog cmdlet)

Azure AD (Entra ID) Sign-in Logs

Azure Portal > Entra ID > Monitoring > Sign-in logs (or Microsoft Graph API /auditLogs/signIns)

Mailbox Audit Logs

Exchange Admin Center or Search-MailboxAuditLog cmdlet

Inbox Rules Audit (Mailbox Forwarding)

Unified Audit Log (Operations: New-InboxRule, Set-InboxRule, UpdateInboxRules)

Common Blockers

M365/Azure Logs Past Retention Period

Unified Audit Log (UAL) entries in Microsoft 365 or Azure AD sign-in logs have expired beyond the default 90-day (E3) or 180-day (E5) retention window. Historical evidence of initial access, mailbox abuse, or OAuth consent grants is no longer available in the tenant.

Suspected Insider Still Has Access -- Investigation Must Be Covert

The primary suspect is a current employee or contractor who still has active credentials and system access. Overt containment actions (account lockout, visible monitoring) would tip off the suspect and risk evidence destruction or acceleration of harmful activity.

Shared Cloud Environment Complicates Isolation

The compromised workload runs in a multi-tenant cloud environment (shared subscription, Kubernetes cluster, or PaaS) where isolation actions may impact other tenants or business-critical services sharing the same infrastructure.

Regulatory Notification Deadline Approaching

A regulatory reporting deadline (GDPR 72-hour, SEC 4-day, state breach notification, HIPAA) is imminent and the investigation has not yet determined the full scope of data exposure. The team must balance thorough investigation against mandatory disclosure timelines.