Decoding the Microsoft 365 Unified Audit Log

👉 This was a Level 400 session – missing words or improper explanations can be related to lack of time to documenting facts.

The Unified Audit Log is a data warehouse for audit events ingested from M35 and Entra workloads for over 20000 different event. Records are retained for 180 days (250 day if you’ve got Audit Premium liceses). Things can be queried via Power Shell or AuditLog Graph Query.

The Audit Log is inmportant because it tracks actions performed by users and background processes vor workloads within a M365 teannt. Admins can use information to undersatnd what happens within the tenant. Forensic investigators use it to understand who did what and when.

Basic rules:

• Like eDisvovery searchees, it’s all about focus – focus, and focus
• You have to khow what operations (actions) to search for
• Limit the date range to the shortest posible period
• if possible, know the user principal names you’re interested in (actors)

With regard to the retrieved data records…

• records are divided into header and data
• workloads must populate headers with common properties (unique identifiere, workload, timestamp, operation and user id)
• workloads dictate what their records store in the Audit data property (JSON structure); it tells you what happened / was logged

👉 You have to understand the Audit Data property – Microsoft makes it slightly difficult to understand because of the fact that the data structure often changes.

Purview Audit Search is not an interactive search; it starts a backgraound search process that cah catch up to 5000 events. Multiple searches can be run at the same time, only selected events found by search turn up within the search results – nothing else. Search results are retained for 30 days and can be exported to a CSV file.

PowerShell Queries

Example: Find the latest records from the last 24 hours and bring them out in a formatted (“readable”) structure

[array]$Records = Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-1) -EndDate (Get-Date).AddDays(1) -ResultSize 5000 -SessionCommand ReturnLargeSet -Formatted

# Remove duplicate audit records
$Records = $Records | Soft-Object Identity -Unique

# Anaylzing Audit Records to Understand What Happens
$Records = Group-Object Operations -NoElement | Sort-Object Conut -Descending | Format-Table Name, Count -AutoSize

Example: Filter the Set-ConditionalAccessPolicy from search results

$Rec = Records | Where-Object {$_.Operations -eq "Set-ConditionalAccessPolicy"}

Example: Find Last Accesss Date for SPO Fileds

$Records = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -RecordType "SharePointFileOperation" -ResultSize 5000 -SessionCommand ReturnLargeSet -Formatted -ObjectIds äTargetSearchSite

# Remove duplicate audit records
$Records = $Records | Soft-Object Identity -Unique

# Filter out the stuff you're not interested in...

Limitations

• Large tenants can genearte millions of audit records daily.
• If a search needs to retrieve more than 50’000 records, the search must be dividetd into sements before combining the results.
• Normal searches emphasize speed over accuracy – this is whyy it’s important to remove duplicate records from results

Graph API Queries (Preview)

Graph API is intended to run asynchronous audit log searches. The basic approache includes:

1. Create and submit an audit log search (job)
2. Check job status
3. When job finishes, retrieve the search results

Don’t switch to Graph Queries if you don’t necessarily have to do.

Example: Fetch Data

$AuditRecords = Get-MgBetaSecurityAuditLogQueryReccord -AuditLogQueryId $AuditJob.Id -All -PageSize 999

Summary

The Unified Audit Log is an essential source of information for M365 tenant admins who want to know who did what to which object and when. Understanding audit events givesa and extra insight into how M365 workloads work. You won’t find any “answers” in the result sets unless you really start practising.