M365 Unified Audit Log

The Microsoft 365 Unified Audit Log is the single most important forensic artifact in any cloud-focused investigation involving Microsoft services. It provides a centralized, timestamped record of all user and administrator activities across Exchange Online, SharePoint, OneDrive, Teams, Azure AD (Entra ID), and Microsoft Purview — but with a critical constraint: retention is limited to 90 days on E3 licenses and 365 days on E5. If you are reading this during an active investigation, begin log extraction immediately.

What Is the Unified Audit Log?

The Microsoft 365 Unified Audit Log (UAL) is a centralized logging system that aggregates audit events from across the entire Microsoft 365 ecosystem. When a user reads an email, downloads a SharePoint document, creates an inbox forwarding rule, logs in from a new IP address, or grants OAuth consent to a third-party application, that action is recorded as a JSON audit event in the UAL. The log is “unified” because it consolidates events from services that previously maintained separate, incompatible audit logs into a single searchable repository.

The UAL is accessed through three primary interfaces: the Microsoft Purview Compliance Portal (GUI-based search with limited result sets), the Search-UnifiedAuditLog PowerShell cmdlet (programmable, supports pagination for bulk extraction), and the Office 365 Management Activity API (REST-based, designed for SIEM integration and continuous log streaming). For forensic investigations, the PowerShell cmdlet is the standard extraction method because it supports date-range filtering, operation-type filtering, and handles the 5,000-record per-page pagination required for comprehensive collection.

Each UAL record is a JSON object containing a standard set of fields (CreationDate, UserIds, Operations, ResultStatus, ClientIP) plus an AuditData field that contains a nested JSON payload specific to the operation type. The AuditData field is where the forensically critical detail lives — for a MailItemsAccessed event, it contains the ClientInfoString, MailboxGuid, and individual message IDs; for a FileDownloaded event, it contains the file name, site URL, source IP, and user agent string.

Location & Format

Access Methods

Record Format

Each UAL record is a JSON object. The top-level fields are consistent across all record types:

Key Operations by Service

What It Reveals

The UAL provides cross-service visibility that no single endpoint artifact can match. The following investigative questions are directly answerable from UAL data:

• Who accessed the compromised mailbox and from where? — MailItemsAccessed events record the ClientIP, ClientInfoString, and SessionId for every email read operation. Correlating IPs with geolocation and the user’s known travel patterns identifies unauthorized access.
• Were inbox rules created to hide attacker activity? — New-InboxRule events show the rule parameters (ForwardTo, DeleteMessage, MoveToFolder). BEC attackers typically create rules that forward copies of incoming mail and/or delete messages containing keywords like “invoice,” “wire,” or “payment.”
• What emails were read by the attacker? — MailItemsAccessed Bind events contain InternetMessageId values that identify specific messages. Cross-referencing with Exchange message tracking logs reconstructs which emails the attacker surveilled.
• Were files downloaded from SharePoint or OneDrive? — FileDownloaded events record the filename, site URL, source IP, and user agent. A spike in downloads from a single user account, especially from an unusual IP, indicates data theft.
• Did the attacker grant OAuth consent to a malicious application? — Consent to application events record the AppId, Permissions granted, and the user who consented. OAuth consent phishing grants the attacker persistent access that survives password resets.
• Was MFA bypassed? — UserLoggedIn events include AuthenticationDetails showing which authentication methods were used. AiTM attacks result in successful logins where the attacker replays a stolen session token, bypassing MFA entirely.
• What was the scope of the compromise across services? — Because the UAL is unified, a single query can correlate Exchange mailbox access, SharePoint downloads, Teams messages, and Azure AD sign-ins for the same user account over the same time window.

Forensic Use Cases

1. Business Email Compromise (BEC) Investigation

The most common UAL forensic use case. An attacker compromises a user’s credentials via AiTM phishing, replays the stolen session token to access the mailbox, creates an inbox rule forwarding copies of financial correspondence to an external email address, surveys the mailbox for ongoing payment conversations, and then sends a fraudulent wire transfer instruction from the compromised account. The UAL records every step: UserLoggedIn from the attacker’s IP, New-InboxRule with ForwardTo parameter, MailItemsAccessed Bind events showing which emails were read, and Send events for the fraudulent messages.

2. OAuth Consent Phishing

The attacker sends a link that prompts the user to grant OAuth permissions to a malicious Azure AD application. Once consent is granted, the application has persistent API-level access to the user’s mailbox, calendar, and files — access that survives password changes and MFA enforcement. The UAL Consent to application event records the AppId, the permissions granted (e.g., Mail.Read, Files.ReadWrite.All), and the timestamp. Revoking the application via Remove-AzureADOAuth2PermissionGrant terminates the persistent access.

3. SharePoint/OneDrive Data Theft

An insider or compromised account downloads hundreds of files from a sensitive SharePoint site. The UAL FileDownloaded events record each file by name, site URL, and source IP. Aggregating download volume by hour reveals activity spikes that correlate with off-hours access. If the downloads occurred from an IP address that does not match the user’s known locations, or if the user agent string indicates an automated tool rather than a browser, the access is likely unauthorized.

4. Insider Threat Cross-Service Correlation

The UAL’s cross-service visibility is uniquely valuable for insider threat investigations. A single query can show that the same user account read sensitive emails (MailItemsAccessed), downloaded the attached documents from SharePoint (FileDownloaded), forwarded them to a personal email address (Send with external recipient), and then deleted the sent items (SoftDelete). No other single artifact provides this cross-service activity correlation.

5. Account Takeover Scope Assessment

After an account compromise is detected, the UAL provides rapid scope assessment. Querying all operations for the compromised UserIds during the attack window reveals exactly which services the attacker accessed, which emails they read, which files they downloaded, which rules they created, and whether they pivoted to other accounts via delegation or impersonation. This scope assessment drives the remediation plan: if the attacker only accessed email, the response is different than if they also downloaded SharePoint content and granted OAuth consent.

Acquisition Methods

PowerShell — Search-UnifiedAuditLog

# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName admin@contoso.com

# Search for all activity by a specific user in a date range
# Note: Max 5,000 results per page; must paginate for full extraction
$results = @()
$sessionId = [guid]::NewGuid().ToString()
$startDate = "2026-02-01"
$endDate = "2026-03-01"
$userIds = "jdoe@contoso.com"

do {
    $batch = Search-UnifiedAuditLog `
        -StartDate $startDate `
        -EndDate $endDate `
        -UserIds $userIds `
        -SessionId $sessionId `
        -SessionCommand ReturnLargeSet `
        -ResultSize 5000
    $results += $batch
    Write-Host "Retrieved $($results.Count) records..."
} while ($batch.Count -eq 5000)

# Export to JSON for analysis
$results | ConvertTo-Json -Depth 10 | Out-File "C:\Evidence\UAL_jdoe.json"

# Export AuditData field (nested JSON) to CSV for tabular analysis
$results | ForEach-Object { $_.AuditData | ConvertFrom-Json } |
    Export-Csv "C:\Evidence\UAL_jdoe_auditdata.csv" -NoTypeInformation

PowerShell — Operation-Specific Queries

# Search for inbox rule creation (BEC indicator)
Search-UnifiedAuditLog -StartDate "2026-02-01" -EndDate "2026-03-01" `
    -Operations New-InboxRule,Set-InboxRule,Enable-InboxRule `
    -ResultSize 5000

# Search for MailItemsAccessed (email surveillance)
Search-UnifiedAuditLog -StartDate "2026-02-01" -EndDate "2026-03-01" `
    -Operations MailItemsAccessed `
    -UserIds "jdoe@contoso.com" `
    -ResultSize 5000

# Search for SharePoint file downloads
Search-UnifiedAuditLog -StartDate "2026-02-01" -EndDate "2026-03-01" `
    -Operations FileDownloaded `
    -ResultSize 5000

# Search for OAuth consent grants
Search-UnifiedAuditLog -StartDate "2026-02-01" -EndDate "2026-03-01" `
    -Operations "Consent to application" `
    -ResultSize 5000

Automated Extraction Tools

Parsing & Analysis Techniques

Parsing the AuditData JSON

The most important step in UAL analysis is correctly parsing the nested AuditData JSON field. Each record’s AuditData contains the operation-specific details that drive forensic conclusions. The top-level UAL fields (CreationDate, UserIds, Operations) provide the index; the AuditData provides the evidence.

# Parse UAL JSON export and analyze MailItemsAccessed events

import json
import pandas as pd
from collections import Counter

with open('/evidence/UAL_jdoe.json', 'r') as f:
    records = json.load(f)

# Extract AuditData from each record
audit_data = []
for r in records:
    try:
        ad = json.loads(r['AuditData']) if isinstance(r['AuditData'], str) else r['AuditData']
        audit_data.append(ad)
    except:
        continue

df = pd.DataFrame(audit_data)

# Analyze MailItemsAccessed — identify non-corporate IPs
mail_access = df[df['Operation'] == 'MailItemsAccessed'].copy()
ip_counts = Counter(mail_access['ClientIPAddress'])
print("Top IPs accessing mailbox:")
for ip, count in ip_counts.most_common(10):
    print(f"  {ip}: {count} events")

# Identify inbox rule creation
rules = df[df['Operation'].isin(['New-InboxRule', 'Set-InboxRule'])]
for _, rule in rules.iterrows():
    params = rule.get('Parameters', [])
    print(f"Rule created at {rule['CreationTime']} from {rule.get('ClientIP', 'N/A')}")
    print(f"  Parameters: {params}")

ClientInfoString Analysis

Retention & Licensing

Anti-Forensics Resilience

The UAL is a cloud-hosted, Microsoft-managed audit system. It cannot be directly modified, deleted, or tampered with by tenant administrators or attackers — with important caveats.

MITRE ATT&CK Detection Mapping

UAL data provides evidentiary support for detecting the following MITRE ATT&CK techniques:

Related Artifacts & Case Studies

Corroborating Artifacts

Case Studies

References

1. Microsoft, “Search the audit log in Microsoft Purview” — https://learn.microsoft.com/en-us/purview/audit-log-search
2. Microsoft, “Detailed properties in the audit log” — https://learn.microsoft.com/en-us/purview/audit-log-detailed-properties
3. Invictus IR, “Microsoft Extractor Suite” — https://github.com/invictus-ir/Microsoft-Extractor-Suite
4. CrowdStrike, “CRT — Cloud Response Tool” — https://github.com/CrowdStrike/CRT
5. T0pCyber, “HAWK — Hunting Attacks in the Wild with Kinesis” — https://github.com/T0pCyber/hawk
6. SANS Institute, “FOR509 — Enterprise Cloud Forensics and Incident Response” — https://www.sans.org/
7. Microsoft, “MailItemsAccessed audit records” — https://learn.microsoft.com/en-us/purview/audit-mailitemsaccessed
8. Invictus IR, “BEC Investigation Guide using M365 Unified Audit Log” — https://www.invictus-ir.com/