PRACTITIONER GUIDE | INCIDENT RESPONSE
Practitioner GuideUpdated 10 min read

Microsoft Purview Audit: How to Use the Unified Audit Log for Security Investigations in Microsoft 365

90 days
Default UAL retention for E3 -- Purview Audit Premium extends to 1 year (E5)
350+
Operation types recorded in the UAL across Microsoft 365 services
Search-UnifiedAuditLog
PowerShell cmdlet for programmatic UAL search (ExchangeOnlineManagement module v2+)

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The Unified Audit Log is the first place to go in a Microsoft 365 security investigation -- before pulling sign-in logs, before calling Microsoft Support, before trying any other data source. It contains a record of every significant action taken in the M365 tenant for the last 90 to 365 days. The challenge is that the UAL contains enormous volumes of benign activity, so effective investigation requires knowing which operation types to search for and how to filter the results to the relevant events. This guide covers the investigation workflow from enabling UAL through the specific queries most useful in a compromise scenario.

Verify Audit Logging Is Enabled

UAL must be enabled before events are recorded -- and it is not always on by default in older tenants. Verify via PowerShell (requires Exchange Online Management module): Connect-ExchangeOnline; Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled. Should return True. If False, enable immediately: Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true. Note: in Microsoft 365 E3 and E5 tenants, UAL should be enabled by default as of 2023, but tenants created before that date may have it disabled. In the Microsoft Purview compliance portal (compliance.microsoft.com), navigate to Audit > Start recording user and admin activity. After enabling, audit events start flowing -- historical events before enablement are not retroactively available. This is why enabling UAL should be done immediately during onboarding, not during an incident investigation.

Search the UAL for Compromised Account Activity

After a suspected account compromise, search for all activity by the compromised account over the suspected exposure window. PowerShell: Search-UnifiedAuditLog -UserIds compromised@domain.com -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -ResultSize 5000 | Select-Object CreationDate, UserIds, Operations, AuditData | Export-Csv compromise-audit.csv -NoTypeInformation. The AuditData column contains a JSON blob with full detail for each event. Critical operations to look for in the results: New-InboxRule or Set-InboxRule (attacker created inbox rules to forward or delete emails), SearchQueryInitiatedByApp or SearchQueryInitiatedByUser (attacker searched mailbox contents), FileDownloaded (files exfiltrated from SharePoint/OneDrive), New-ForwardingRule or Set-Mailbox with DeliverToMailboxAndForward (email forwarding configured), Remove-MailboxPermission / Add-MailboxPermission (permissions modified), and Add-RoleGroupMember (attacker added themselves or another account to admin roles).

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Key UAL Operations for Security Investigations

The most forensically important operation types by investigation scenario: Compromise detection: 'MailboxLogin' (successful mailbox access), 'New-InboxRule' (persistence via forwarding/deletion rules), 'Set-Mailbox' with ForwardingSmtpAddress parameter (external email forwarding), 'Add-MailboxPermission' (delegated access added). Data exfiltration: 'FileDownloaded', 'FileSyncDownloadedFull', 'DownloadPagesFromSharePointSite' (SharePoint bulk download), 'SharingSet' (file sharing enabled), 'AnonymousLinkCreated' (public share link created). Privilege escalation: 'Add-RoleGroupMember', 'New-ManagementRoleAssignment', 'Update role member' in Entra, 'eDiscoverySearchCreated' (attacker running compliance searches to find sensitive content). Persistence: 'Set-InboxRule' with forward or delete actions, 'New-TransportRule' (organization-wide mail transport rules modified), 'Add-MailboxFolderPermission' (calendar or folder delegate access added). Build a search for each category filtered to the compromised account and time window.

Export Large UAL Datasets for Analysis

The PowerShell Search-UnifiedAuditLog cmdlet returns a maximum of 5,000 records per query. For large investigations (30 days of a heavily used account, or a tenant-wide search), paginate the results using the SessionId parameter: $allResults = @(); $sessionId = (New-Guid).Guid; do { $results = Search-UnifiedAuditLog -StartDate $start -EndDate $end -UserIds $user -ResultSize 5000 -SessionId $sessionId -SessionCommand ReturnLargeSet; $allResults += $results } while ($results.Count -gt 0). Alternatively, use the Purview Audit portal's export function which downloads results as a CSV for the selected time range and filters. For ongoing SIEM integration: the Microsoft 365 Management Activity API provides a streaming feed of audit events -- this is the enterprise integration path for feeding UAL events into Sentinel, Splunk, or other SIEMs in near-real-time (the API has approximately 30-minute latency from event to availability). The Sentinel Microsoft 365 data connector uses this API.

Purview Audit Premium: 1-Year Retention and Intelligent Insights

The default UAL retention is 90 days for E1/E3 licenses. Purview Audit Premium (included in E5 and available as an add-on) extends retention to 1 year for all operation types and 10 years for specific high-value operations (MailboxLogin, SearchQueryInitiatedByUser, and others). For breach investigations where the attacker had dwell time longer than 90 days, 1-year retention is critical. Purview Audit Premium also provides: 'Audit (Premium) mailbox auditing' which logs additional mailbox operations (MailItemsAccessed -- each email item accessed, not just login), and bandwidth throttling lift for large scale searches. The MailItemsAccessed operation (E5 only) is particularly valuable for proving which specific emails the attacker read during a compromise -- standard auditing only logs login events, not individual message access. If your compliance team has E5 licenses, verify that Purview Audit Premium is enabled and MailItemsAccessed logging is active.

The bottom line

The Unified Audit Log is the definitive record of what happened inside your Microsoft 365 tenant. Enable it immediately if not already on, verify retention period matches your investigation needs (upgrade to E5 or Purview Audit Premium for 1-year retention), and build the PowerShell query workflow before an incident -- the time to learn Search-UnifiedAuditLog is not during an active breach investigation. Key operations to search first in any compromise: New-InboxRule, Set-Mailbox with forwarding, FileDownloaded, and Add-RoleGroupMember.

Frequently asked questions

What is the difference between the Unified Audit Log and Entra ID sign-in logs?

Entra ID sign-in logs record authentication events (who logged in, from where, with what MFA method, with what risk score, whether Conditional Access allowed or blocked the sign-in). The Unified Audit Log records what the authenticated user did inside Microsoft 365 services (which emails they read, which files they downloaded, what SharePoint permissions they changed, what Teams messages they sent). Both are required for a complete investigation: sign-in logs establish when and from where access occurred; UAL establishes what the attacker did after gaining access.

How long does it take for UAL events to appear after an action occurs?

UAL events typically become available for search within 30 to 60 minutes of the action occurring, though Microsoft documentation states it can take up to 24 hours in some cases. For real-time incident response, the UAL is not instantaneous -- check recent events from the past hour and be aware they may not be complete. For the Microsoft 365 Management Activity API (used by Sentinel), expect approximately 30-minute latency on average.

Does the UAL capture everything an attacker does?

The UAL captures the operations defined in Microsoft's audit log activities reference (350+ operation types). It does not capture: email content (body, attachments), Teams message content, the specific search terms used in a mailbox search, or document content. It records that an email was accessed but not what the email said. For email content investigation, you need eDiscovery (Purview Content Search) with the relevant litigation hold or preservation order. The UAL is an activity log, not a content log.

Can an attacker delete UAL entries to cover their tracks?

No. The Unified Audit Log is immutable -- individual events cannot be deleted by any user or admin, including Global Administrators. Attackers cannot purge their activity from the UAL. The only way UAL events disappear is through the natural retention period expiry (90 days for E3, 1 year for E5/Premium). This is why the UAL is a trusted forensic source -- unlike Windows event logs (which local admins can clear), the UAL is outside the attacker's control.

Which UAL operations are most commonly searched during Business Email Compromise (BEC) investigations?

The standard BEC investigation sequence: MailboxLogin (confirm attacker accessed the mailbox), New-InboxRule (detect mail forwarding or auto-delete rules created by attacker), Set-Mailbox -ForwardingAddress or -ForwardingSMTPAddress (mailbox-level forwarding, separate from inbox rules), FileAccessed and FileDownloaded in SharePoint (determine data exfiltration scope), TeamsMessageSent (check if attacker used Teams to impersonate the victim to finance), and Send (check emails sent by the attacker from the victim mailbox). For each action: record the timestamp, client IP, and any other users who were contacted. The UAL record for New-InboxRule includes the full rule parameters in the AuditData JSON, including the forwarding address.

How do you export Unified Audit Log data at scale for forensic investigations when the Microsoft Purview portal search is too slow?

The Purview compliance portal search is limited to 50,000 results per query and does not support bulk export efficiently for multi-month investigations. Use the Exchange Online PowerShell Search-UnifiedAuditLog cmdlet for programmatic export: it returns up to 5,000 results per call and supports pagination via the SessionId and SessionCommand parameters. For large investigations, loop through sessions with SessionCommand set to ReturnNextPreviewPage until no more results are returned, writing each batch to a CSV or JSON file. For very large exports (millions of records), use the Office 365 Management Activity API, which provides a streaming interface to audit log data without result caps -- connect via the /subscriptions/start endpoint and poll the /content endpoint for available content blobs. The Management Activity API requires registering an app in Entra ID with AuditLog.Read.All permission. Microsoft Sentinel ingests UAL data via the Microsoft 365 connector and allows KQL queries without export size limits -- if Sentinel is deployed, query it directly rather than re-exporting from Purview.

Sources & references

  1. Microsoft: Search the Audit Log
  2. Microsoft: Audit Log Activities Reference

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.