Domain 3 of 4 · Chapter 3 of 5

Investigate Microsoft 365 Activities

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Microsoft Certified: Security Operations Analyst Associate premium course — no separate purchase.

Included in this chapter:

  • The unified audit log: one searchable record of M365 activity
  • Audit licensing tiers and high-value events
  • Content Search: retrieving the items the audit log only mentions
  • Microsoft Graph activity logs: investigating the API layer
  • Exam-pattern recognition

Three Microsoft 365 investigation sources: what each answers and where you run it

SourceQuestion it answersWhere you run itKey constraint
Unified audit log (Purview Audit)What activity happened across M365 workloadsMicrosoft Purview portal, Audit searchOnly logs what auditing captured; 180 days (Standard), 1 year+ (Premium)
Content Search (Purview eDiscovery)Where the content is, so you can preview and export itMicrosoft Purview portal, Content searchSearches mailboxes, sites, OneDrive, Teams content, not an audit trail
Microsoft Graph activity logsWhich API requests an app or user made to GraphEnabled via diagnostic setting, queried in Log Analytics / SentinelOff by default; must route to a workspace, storage, or event hub

Decision tree

What does the goal need?M365 investigation sourceReconstruct activity?who did what, whenProve mailbox read?not just signed inNeed the content?the email or file itselfAPI / token / app?access via GraphUnified audit logPurview Audit searchMailItemsAccessedAudit Standard, default E3/E5sync + bind accessContent Searchpreview / export / holdGraph activity logsdiagnostic settingto workspaceAlways first: confirm auditing was onan event off at the time is not in the logTimelineWas readThe itemApp access

Cheat sheet

  • Reach for the unified audit log to reconstruct what happened across Microsoft 365
  • The audit log only contains events that auditing was capturing at the time
  • Audit Standard keeps records 180 days; Audit Premium extends to one year
  • Use MailItemsAccessed to prove a mailbox was actually read
  • Send and search-query events also help reconstruct a compromised mailbox
  • Search-UnifiedAuditLog queries the same audit data from PowerShell
  • Content Search retrieves the actual items; the audit log only logs the action
  • Content Search is a Purview eDiscovery tool you build from locations plus a query
  • Content Search uses Keyword Query Language, not Kusto
  • Use Content Search to investigate; eDiscovery cases are for litigation
  • Microsoft Graph activity logs expose the API requests behind app and token attacks
  • Graph activity logs are off by default and need a diagnostic setting
  • Route Graph activity logs to a Log Analytics workspace to hunt them with Kusto
  • Match the investigation goal to the right one of three M365 sources
  • The audit log records the action only, never the content the action touched
  • CloudAppEvents is the advanced-hunting table for connected cloud-app and OAuth activity
  • Content Search: empty Keywords returns everything; rows are OR, conditions are AND

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. https://learn.microsoft.com/en-us/purview/audit-search
  2. https://learn.microsoft.com/en-us/powershell/module/exchange/search-unifiedauditlog
  3. https://learn.microsoft.com/en-us/purview/audit-solutions-overview
  4. https://learn.microsoft.com/en-us/purview/audit-premium
  5. https://learn.microsoft.com/en-us/purview/audit-log-investigate-accounts
  6. https://learn.microsoft.com/en-us/purview/ediscovery-content-search
  7. https://learn.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference
  8. https://learn.microsoft.com/en-us/graph/microsoft-graph-activity-logs-overview
  9. https://learn.microsoft.com/en-us/kusto/query/