The unified audit log in Microsoft 365 is a powerful tool for security operations analysts investigating potential threats and security incidents. This centralized logging system captures user and administrator activities across various Microsoft 365 services, including Exchange Online, SharePoint,ā¦The unified audit log in Microsoft 365 is a powerful tool for security operations analysts investigating potential threats and security incidents. This centralized logging system captures user and administrator activities across various Microsoft 365 services, including Exchange Online, SharePoint, OneDrive, Azure AD, and Teams.
To investigate threats using the unified audit log, analysts begin by accessing the Microsoft Purview compliance portal or using PowerShell cmdlets like Search-UnifiedAuditLog. The search functionality allows filtering by date range, users, activities, and specific services, enabling targeted investigations.
When conducting threat investigations, analysts should focus on several key activity types. Failed login attempts and suspicious sign-in patterns may indicate brute force attacks or credential compromise. File access and sharing activities help identify data exfiltration attempts. Administrative actions such as permission changes or mailbox delegations could reveal privilege escalation. Email forwarding rules and transport rules modifications might expose email-based attacks.
The investigation process typically follows these steps: First, define the scope by identifying the timeframe and affected users or resources. Second, execute searches using relevant filters to narrow down suspicious activities. Third, analyze the results by correlating events across different services to build a complete picture of the incident. Fourth, export and preserve evidence for further analysis or legal requirements.
Analysts should understand that audit log data is retained for 90 days by default, though E5 licenses extend this to one year. For effective threat hunting, creating custom alert policies helps automate detection of suspicious patterns.
Best practices include establishing baseline normal behavior to identify anomalies, correlating audit log data with other security tools like Microsoft Sentinel, and maintaining documented procedures for common investigation scenarios. The unified audit log serves as a critical data source for incident response, providing the evidence trail necessary to understand attack scope, identify compromised accounts, and implement appropriate remediation measures.
Investigate Threats Using the Unified Audit Log
Why It Is Important
The unified audit log is a critical tool for security operations analysts because it provides a centralized location to search for user and administrator activities across Microsoft 365 services. When investigating security incidents, having access to comprehensive audit data allows analysts to track suspicious behavior, establish timelines of malicious activity, and gather evidence for incident response. Understanding how to effectively use this tool is essential for threat hunting and forensic investigations.
What Is the Unified Audit Log?
The unified audit log is a searchable log that captures events from various Microsoft 365 services including: - Exchange Online - SharePoint Online - OneDrive for Business - Azure Active Directory - Microsoft Teams - Power BI - Dynamics 365
It records activities such as file access, permission changes, mailbox access, login events, and administrative actions. The log retains data for 90 days by default (or up to one year with advanced audit licensing).
How It Works
To access the unified audit log, navigate to the Microsoft Purview compliance portal and select Audit from the navigation menu. Before searching, ensure that auditing is enabled for your organization.
When searching the audit log, you can filter by: - Date and time range - Specify the period to investigate - Activities - Select specific activities like file downloads, login failures, or permission changes - Users - Focus on specific user accounts - File, folder, or site - Target specific resources
Search results can be exported to CSV for further analysis. Each audit record contains details including the operation performed, the user who performed it, the target object, and timestamp information.
Key Activities to Monitor for Threat Investigation
- Failed login attempts and unusual sign-in patterns - Mailbox access by non-owners - Mass file downloads or deletions - Permission elevation or role assignments - eDiscovery searches initiated - Inbox rule creation (often used in business email compromise)
Exam Tips: Answering Questions on Investigate Threats Using the Unified Audit Log
1. Know the prerequisites: Remember that auditing must be enabled and users need appropriate permissions (Audit Logs or View-Only Audit Logs role) to search the log.
2. Understand retention periods: Standard retention is 90 days. With Microsoft 365 E5 or Advanced Audit, retention extends to one year. Questions may test your knowledge of data availability.
3. Recognize the correct portal: The unified audit log is accessed through the Microsoft Purview compliance portal, not the Security portal or Microsoft 365 admin center.
4. Know common investigation scenarios: Be familiar with which activities to search for when investigating specific threats like phishing, data exfiltration, or compromised accounts.
5. Understand search limitations: Results are limited to 50,000 records per search. For larger datasets, narrow your search criteria or use date ranges.
6. PowerShell knowledge: The Search-UnifiedAuditLog cmdlet is used for programmatic access and automation. Know its basic parameters.
7. Differentiate from other logs: Understand when to use the unified audit log versus Azure AD sign-in logs, Microsoft Defender logs, or Azure Activity logs based on the investigation scenario presented.