Imagine you see a big jump in emails sent out. You think someone may have tried to send secret data outside. Microsoft 365 audit logs help you track these actions. You might see mailbox permission changes or strange inbox rules. These rules can let data leave without people knowing. Audit logs also show if someone gets more access or exports a mailbox. By checking these logs, you can act quickly. You can block users who are hacked and keep your data safe.

Key Takeaways

• Microsoft 365 audit logs let you see what users and admins do. This helps you find and stop security problems fast.

• You need the right permissions to use the Unified Audit Log. You must turn it on to look at and search audit data well.

• You can use the Microsoft Purview portal, PowerShell, or APIs. These tools help you search, filter, and export audit logs for a closer look.

• Important log fields are Time, UserId, Operation, and ResultStatus. These show who did something, what they did, and when.

• Check audit logs often and set alerts. This helps you find strange actions early and protect your data.

Accessing Microsoft 365 Audit Logs

Permissions and Setup

You need the right permissions to see audit logs. You must have the View-Only Audit Logs or Audit Logs role in Exchange Online. These roles are in the Compliance Management and Organization Management groups. If you are a global administrator, you already have these permissions. You can also make custom role groups in Exchange Online to give only the needed access.

Tip: Giving roles in the Security & Compliance Center is not enough. Always set permissions in Exchange Online.

Here is a table to show which Microsoft 365 plans have audit features:

Enabling Unified Audit Log

There are two main ways to turn on the Unified Audit Log. The first way uses the Microsoft Purview portal:

1. Sign in with your admin account.

2. Go to the Compliance Center.

3. Click "Audit" under "Solutions."

4. Click "Start recording user and admin activity."

5. Make sure events are being recorded by running a search.

You can also use PowerShell:

1. Install and import the ExchangeOnlineManagement module.

2. Connect to Exchange Online with your admin account.

3. Run Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled to check status.

4. If needed, run Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true to turn it on.

5. Check the setting again.

Using Purview Portal

The Microsoft Purview portal makes it easy to search audit logs. You can filter by activity, user, or date. You can export results to a CSV file for more study. The portal works with both standard and premium audit logs, but they keep data for different times. For more advanced needs, you can use PowerShell cmdlets like Search-UnifiedAuditLog or use the Microsoft Graph API. This helps you automate searches and get lots of data for security checks.

Searching and Filtering Audit Events

Portal Search

You can look for audit events in the Purview portal. The portal lets you use easy filters. You can pick a date range, choose users, and select activities. For example, you may want to know who opened files in SharePoint or changed Exchange settings. The portal saves your search jobs for 30 days, even if you close your browser. You get results fast and can export them to a CSV file to check later.

Tip: Use the portal for interactive searches or to check activities from the last 180 days.

PowerShell Queries

PowerShell helps you look deeper into audit logs. You use the Search-UnifiedAuditLog cmdlet to filter by service and action. Here are some useful filters:

• RecordType lets you pick the service, like ExchangeAdmin for Exchange or SharePointFileOperation for SharePoint.

• Operations helps you find certain actions, such as FileAccessed or SiteCollectionCreated.

• The -Formatted switch shows names you can read instead of codes.

Here is a PowerShell command to find SharePoint site creation events:

Search-UnifiedAuditLog -RecordType SharePointFileOperation -Operations SiteCollectionCreated -StartDate "2024-06-01" -EndDate "2024-06-10" -Formatted

Note: Use filters to make your results smaller and easier to read. If you have many entries, try paging through the results.

API Filtering

You can use the Office 365 Management Activity API or Microsoft Graph API for automatic searches. The API lets you filter audit logs by user details, like country. For example, you can use $filter to find events for users in the United States. This way works well for collecting lots of data or sending logs to security tools.

Troubleshooting Tips

If your search results seem missing or strange, try these steps:

1. Check your permissions. Make sure you have the Audit Logs or View-Only Audit Logs role.

2. Turn on mailbox auditing with PowerShell if you need to.

3. If you still see no results, turn the AuditEnabled setting off and then on again.

4. Remember, searching by user does not show actions by delegates or shared mailboxes.

5. Use ExchangeGuid with the FreeText parameter to find activity in shared mailboxes.

If you see an error like "Your request couldn't be completed," you may need to update your permissions in Exchange Online.

Interpreting Log Properties and Event Types

Key Fields

When you check audit logs, you see many fields. Each field gives you details about what happened. These fields help answer questions like "Who did this?" or "Was it successful?" Here is a table that lists some important fields in Microsoft 365 audit logs:

You can use these fields to sort and study audit logs. The Time field shows when something happened. The UserId field tells you who did it. The Workload field shows which Microsoft 365 service was used. The Operation field tells what action happened. The ResultStatus field shows if the action worked or failed. These fields help you find answers fast.

Tip: If you want to know who changed a file or deleted an email, check the UserId and Operation fields first.

RecordTypes and Operations

Audit logs use RecordTypes to group events together. Each RecordType shows what kind of activity happened. For example, ExchangeAdmin means someone did an admin task in Exchange. ExchangeItem means someone worked with one email or calendar item. ExchangeItemGroup means someone did something to many items at once, like deleting several emails.

Operations tell you the exact action. You might see Create, Update, SoftDelete, HardDelete, or MoveToDeletedItems. If you see a SoftDelete operation on an ExchangeItemGroup, it means a user moved many emails to the Deleted Items folder. An Update operation on an ExchangeItem could mean someone changed a calendar event.

Here is a simple list to help you remember:

• RecordType: Shows the group of activity (like admin tasks or file actions).

• Operation: Shows the exact action (like create, update, delete).

You can filter audit logs by RecordType and Operation to find certain activities. If you want to see who deleted files in SharePoint, filter by the right RecordType and look for the Delete operation.

Note: You can set up alerts to get notified when certain operations happen. This helps you catch problems early.

Decoding Payloads

Some audit log events have complex payloads. A payload is the detailed data inside an event. Sometimes, one event has information about many actions. For example, the MailItemsAccessed event can show details for 20 or more emails at once. This makes the logs smaller, but you need to decode the payload to see all the details.

You can use PowerShell scripts to open and read these payloads. Many scripts use a Switch statement to handle different event types. Some payloads use Base64 encoding, so you need to decode them before you can read the data. If you want to study these events, you can download scripts from GitHub and change them to fit your needs.

Tip: If you see a payload with lots of data, use a script to break it down. This helps you find every action inside the event.

Decoding payloads takes practice. You need to know how each Microsoft 365 service formats its data. Sometimes, you find many sub-events in one payload. You can use tools like Excel Power Query to sort and filter the data after you export it.

Investigating User and System Activities

Mapping Actions

You can track what users and systems do by following steps. This helps you know who did something and when it happened. First, open the audit logs in the Microsoft Purview Compliance Portal. Pick the right dates and times to look at. You can also filter by users or actions to make your search smaller.

Here is how you can map actions:

1. Go to the Microsoft Purview Compliance Portal and find the Audit section.

2. Choose the dates and times you want to check.

3. Filter by users or actions if you want to focus on certain things.

4. Use PowerShell commands like Search-UnifiedAuditLog to get user activity.

5. Run PowerShell scripts to make reports, especially if you have lots of data.

6. Try third-party tools for better charts and dashboards.

7. Look at the filtered logs to find patterns, link events, and check for problems.

8. Write down what you find, including anything strange or important.

You will see many kinds of actions in the logs. These can be user sign-ins, mailbox actions like sending or deleting emails, file changes in SharePoint or OneDrive, and teamwork events in Teams. You can also see security events, like policy changes or malware warnings.

Tip: Use filters to look at the most important data. This helps you find what you need faster.

Detecting Anomalies

Detecting anomalies means finding things that are not normal. You want to spot signs of trouble, like someone trying to break into an account or change settings. You can use special tools and ways to help with this.

• SIEM platforms like Microsoft Sentinel collect and study audit logs in one place. They help you find gaps, stops, or odd changes in your logs.

• Watch for signs of tampering, like deleted logs or times when logging stops.

• Track mailbox actions, like new inbox rules or a sudden jump in API calls.

• Watch for changes to security policies, like Conditional Access or Data Loss Prevention.

• Check app registrations and permissions to catch strange OAuth apps or shadow accounts.

• Set up alerts to get notified right away if something odd happens.

Some tools use AI to spot spikes in failed sign-ins, account lockouts, or permission changes. You can get alerts on your phone or email in real time. These tools also show you what changed before and after, so you know exactly what happened.

Note: Check your audit logs often and compare them to normal activity. This helps you find problems early.

Mailbox Audit Logs

Mailbox audit logs let you see what happens inside user mailboxes. You can see when someone reads, deletes, or moves emails. The MailItemsAccessed action records every time someone looks at mail, either by syncing or reading messages.

Watch for these signs of strange activity:

• Logins or API calls from places or devices you do not know.

• Apps getting high-level permissions at odd times.

• Lots of emails deleted from Sent Items or Deleted Items.

• New inbox rules that forward or delete emails without the user knowing.

• Many mail syncs or message reads, which could mean someone is stealing data.

If you see more than 1,000 MailItemsAccessed records in one day, logging for this action will stop for 24 hours. This often means a mailbox may be hacked. Other actions will still be logged, so keep checking for other clues.

You can use KQL queries to find these actions. For example, you can look for all API requests from a user, spot new inbox rules, or find lots of deleted messages.

Alert: Always check strange mailbox activity. Acting fast can stop data loss and keep your organization safe.

Export and Retain Data

Export Methods

There are a few ways to export audit log data. The Purview portal lets you search and export logs online. You can also use PowerShell with the Search-UnifiedAuditLog cmdlet. This lets you export filtered results to a CSV file. If you want to automate things, you can use the Microsoft Graph API. Each way has some limits. The Purview portal only lets you export 50,000 entries per CSV file. PowerShell can only search one RecordType at a time. You may need to run it more than once. The Graph API sometimes misses some results. After you export, you can use Excel Power Query Editor to clean your data. You might need to fix missing JSON properties if your data set is big.

You can export logs in formats like CSV, PDF, HTML, and XLSX. CSV files are best for deep study. They work well with tools like Power Query.

Reporting

You can use different tools to make reports from your audit log data. The Admin Center and Compliance Center have simple reporting tools. If you want better charts and dashboards, you can use Power BI. Power BI helps you see patterns and trends. You need some skill to use it well. Other tools like SquaredUp and AdminDroid are easy to use. They give you dashboards, real-time alerts, and many ready-made reports. These tools help you track user actions, find problems, and meet compliance needs.

Tip: Pick a reporting tool that fits your skills and your organization's size.

Retention Policies

Retention policies decide how long audit logs stay available. Most users have a default retention period of 180 days. If you have an E5 license, you can keep logs for up to one year. Some groups need to keep logs for 3, 5, or even 10 years. This needs special add-on licenses. You can set custom retention policies in the Purview portal or with PowerShell. Keeping logs longer helps with investigations. It also helps meet rules in healthcare or finance.

Note: Custom retention policies only work for new data. Plan your retention to balance cost and compliance.

Checking Microsoft 365 audit logs often helps keep your data safe. These logs show what users do and help you look into problems. They also help you follow rules like HIPAA and ISO 27001.

Make sure you have clear rules for logging. Use tools that send alerts when something happens. Keep your logs for as long as needed.

• Doing audits often helps you find threats early. It also lets you see what is happening and helps with legal issues.

• Using unified audit logs and special tools makes checking logs easier and more trustworthy.

FAQ

What is the Unified Audit Log in Microsoft 365?

The Unified Audit Log gathers activity from many services. You can use it to watch what users and admins do. It also tracks system events. This log helps you spot security problems. It helps you follow rules for your organization.

How do you know if mailbox auditing is enabled?

You can check mailbox auditing with PowerShell. Run this command:

Get-Mailbox -Identity "user@domain.com" | FL AuditEnabled

If you see AuditEnabled : True, mailbox auditing is turned on.

Can you automate audit log exports?

Yes, you can set up automatic exports. Use PowerShell scripts or the Microsoft Graph API. These tools let you plan regular exports. You can send logs to other systems for more study.

How long does Microsoft 365 keep audit logs?

How long logs stay depends on your license. Standard plans keep logs for 180 days. E5 licenses keep logs for up to one year. Special add-ons let you keep logs even longer.

Tip: Always check your retention settings. Make sure they fit your organization’s needs.