Unified Audit Log (UAL)
Location
Microsoft Purview > Audit > Search (or Search-UnifiedAuditLog cmdlet)Description
Centralized audit log aggregating events across Exchange Online, SharePoint, OneDrive, Teams, Azure AD, Power Platform, and other M365 services. Records user and admin activity with timestamps, IP addresses, user agents, and operation details.
Forensic Value
The UAL is the single most important artifact for M365 investigations. It captures mailbox access, file downloads, sharing changes, admin role assignments, and OAuth app consents in one searchable location. Correlating ClientIP and UserAgent across operations reveals session hijacking -- when the same session token appears from two different geolocations, a token theft is confirmed. Retention is 90 days (E3) or 365 days (E5).
Tools Required
Collection Commands
PowerShell
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date) -ResultSize 5000 | Export-Csv -Path ual_export.csv -NoTypeInformation
PowerShell
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -RecordType ExchangeAdmin -ResultSize 5000 | Export-Csv ual_exchange_admin.csv -NoTypeInformation
Hawk
Start-HawkTenantInvestigation -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date)
MITRE ATT&CK Techniques
Used in Procedures
M365 Unified Audit Log Collection
collect
Collect DLP Policy Alerts and Hits
collect
Investigate Mailbox Rule Modifications
analyze
Conduct Lessons Learned Review Session
post-incident
Create New Detection Rules Based on Incident Findings
post-incident
Phishing Campaign Scope and Credential Exposure
analyze
Scope a Supply-Chain Compromise
triage
Characterize Adversary TTPs and Assess Attribution
triage
Hunt Historical Dwell Time and Hidden Persistence
analyze
Assume-Breach Rebuild and Identity Reset
eradicate
Threat-Intel Sharing and Sector Reporting
post-incident
Validate Insider-Threat Tip and Choose Investigation Posture
triage
Establish 90-Day Behavioral Baseline for Subject
triage
Identify Data Staging and Pre-Exfiltration Patterns
analyze
Insider-Control Lifecycle Review
post-incident
Related Blockers
M365/Azure Logs Past Retention Period
Unified Audit Log (UAL) entries in Microsoft 365 or Azure AD sign-in logs have expired beyond the default 90-day (E3) or 180-day (E5) retention window. Historical evidence of initial access, mailbox abuse, or OAuth consent grants is no longer available in the tenant.
Suspected Insider Still Has Access -- Investigation Must Be Covert
The primary suspect is a current employee or contractor who still has active credentials and system access. Overt containment actions (account lockout, visible monitoring) would tip off the suspect and risk evidence destruction or acceleration of harmful activity.
Shared Cloud Environment Complicates Isolation
The compromised workload runs in a multi-tenant cloud environment (shared subscription, Kubernetes cluster, or PaaS) where isolation actions may impact other tenants or business-critical services sharing the same infrastructure.
Regulatory Notification Deadline Approaching
A regulatory reporting deadline (GDPR 72-hour, SEC 4-day, state breach notification, HIPAA) is imminent and the investigation has not yet determined the full scope of data exposure. The team must balance thorough investigation against mandatory disclosure timelines.
Evidence Spans Multiple Jurisdictions with Conflicting Laws
Affected systems or data span multiple countries with differing data-protection, breach-notification, and cross-border transfer laws (GDPR, data-residency rules, PIPL, LGPD, state-level US laws). Acquisition and analysis that is lawful in one jurisdiction may be unlawful in another. Engage legal counsel early and plan in-region processing.
SaaS Audit Retention Expired Before Collection
The response started after the native retention window for Google Workspace, Okta, Slack, GitHub, or similar SaaS evidence had already passed. The necessary events are no longer available in the vendor UI or API even though the underlying accounts and content may still exist.
Compromised Vendor Artifact Provenance Lost
The compromised software was distributed through a legitimate channel (update server, package registry) but the vendor cannot or will not produce the exact pre-compromise build artifacts, build manifests, or signing-chain evidence needed to validate provenance. Without that baseline, it is difficult to definitively identify what was malicious versus legitimate in the distributed artifact.
Attack Delivered via Legitimately Signed Update
The malicious artifact carries a valid signature from the vendor's real signing key, so traditional allow-by-signature controls (Authenticode policy, Cosign verification, macOS notarization) do not flag it. Detection must pivot to behavioral indicators, reputation, and anomaly-based signals.
Suspected Nation-State Actor Complicates Response
Evidence points to a well-resourced adversary with sophisticated tradecraft (zero-day exploitation, custom tooling, anti-forensics, long dwell time). Response needs to balance technical containment with legal, law-enforcement, and communications considerations that do not apply to opportunistic incidents.
Law Enforcement Requested Investigation Pause
A law-enforcement agency (FBI, Secret Service, Europol, national police cybercrime unit) has requested that the organization pause or slow-walk active investigation, containment, or notification steps while they pursue their own investigation. This creates tension between legal obligations to customers/regulators and cooperation with LEA.