Cloud incidents are common and occur every week, some with a minor impact and others with extensive impacts on the organization and its users.

In the security incidents I investigated, I could see the differences between each environment. In the countless investigations I carried out, it was possible to see diverse environments and the fact that each environment is unique in terms of log collection and IR readiness, some with maturity and others less so.

In half of the incidents I investigated, I found myself investigating the incident from some Audit Log and directly using PowerShell or CLI, whether it was Microsoft, Google or AWS.

In one of the many cases, I investigated incidents against the Unified Audit Log (UAL), and even here, despite the fact that rich logs were fed directly to the corporate SIEM from other platforms in some cases, it was still possible to obtain valuable and unique indications from the UAL.

The investigation itself with the unified audit log (UAL) was done using countless powershell commands (not the portal) and revolved around many workloads, actions, and other filters.

The post “Microsoft 365 Cloud investigation via Unified Audit Log – Insights and Tips” focuses on the Unified Audit Log, how to use the search tool, and many tips on investigating Microsoft 365 Cloud via Unified Audit Log (UAL). This post is part of the CFIR (Cloud Forensic and Incident Response) Series.

Unified Audit Log (UAL) in a Nutshell

Can someone describe an audit log in a nutshell? It can be challenging, but let’s go through the known facts, the little things, and much more.

This UAL isn’t just a list of actions it’s also packed with context and details. It tells you who did what, when they did it, and sometimes even why. This is crucial for security, compliance, and troubleshooting. For instance, if there’s a security breach, the audit log helps you trace back what happened, who was involved, and how to prevent it in the future. Similarly, for compliance purposes, you can show auditors a clear trail of actions to prove that you’re following the rules.

But here’s the kicker – managing an audit log isn’t just about collecting data; it’s also about analyzing it effectively. It’s like sifting through a haystack for that one golden needle of insight. By studying the patterns and trends in the log, you can uncover hidden risks, improve processes, and even optimize performance.

Every time someone accesses a file, sends an email, changes a setting, or does anything else significant within Microsoft 365, it gets noted down in this log.

Unified Audit Log – Who are you?

The Unified Audit Log (UAL) is a feature in Microsoft 365 that provides a single, searchable view of all user and administrator activity across various services within the Microsoft 365 environment. This includes activities such as file access, mailbox access, Entra ID changes, and more. The Unified Audit Log helps you track and investigate suspicious or unauthorized activities, meet compliance requirements, and gain insights into how Microsoft 365 services are being used within their environment. It can be a valuable security, compliance, and governance tool.

Note: In some cases, when I investigated older tenants, they didn’t have the option of Unified Audit Log enabled and available.

The Unified Audit Log (UAL) in Office 365 is a crucial investigative data source. It contains a record of all activity in Office 365 and Azure Active Directory. Here are the key components of the UAL:

• Workloads: These are top-level categorizations based on products. Examples include:
  • Azure Active Directory
  • Exchange
  • OneDrive
• Record Types: These group operations logically within a product. Examples include:
  • ExchangeAdmin
  • SharePointFileOperation
  • MicrosoftTeams
• Operations: These represent individual events that occurred. Some common examples are:
  • MailItemsAccessed
  • FileDownloaded
  • UserLoggedIn

There are over 3,500 different operations in the Unified Audit Log, most of which are documented in the Audited Activities. When searching UAL, filtering using these categories can help triage the massive data set and provide insights into user activity and potential security threats.

Understanding the Differences: Standard vs Premium

Microsoft Purview offers two distinct auditing solutions: Audit (Standard) and Audit (Premium). Both are designed to provide organizations with the tools to effectively respond to security events, conduct forensic investigations, and meet compliance obligations. However, they cater to different needs and offer varying levels of functionality.

Audit (Standard) is the default baseline offering enabled by default for organizations with the appropriate subscription. It captures and records thousands of user and admin operations across numerous Microsoft 365 services, making these records searchable for security operations, IT admins, and compliance teams. This level of auditing provides a solid foundation for organizations to monitor and investigate activities within their Microsoft 365 environment.

On the other hand, Audit (Premium) builds upon the capabilities of Audit (Standard) by offering enhanced features. These include longer retention periods for audit logs, up to 10 years with an additional license, and access to audit logs via a higher bandwidth Office 365 Management Activity API, allowing faster access to audit data. Moreover, Audit (Premium) provides intelligent insights powered by Microsoft’s AI, aiding organizations in gaining a deeper understanding of their audit data.

The following table from the Microsoft Learn document compares the key capabilities available in Audit with Standard and Premium.

The choice between Audit (Standard) and Audit (Premium) ultimately depends on an organization’s specific needs. Organizations requiring basic auditing capabilities may find Audit (Standard) sufficient, while those with more complex security and compliance needs may opt for the advanced features of Audit (Premium).

Microsoft provides a comprehensive guide detailing the key capabilities of Audit (Standard) and Audit (Premium). This resource can help decision-makers understand the nuances between the two options and make an informed choice that aligns with their organizational requirements.

TIP: The default retention period for Standard Audit has changed from 90 days to 180 days. Standard Audit logs generated before October 17, 2023, are retained for 90 days. Standard Audit logs generated on or after October 17, 2023, follow the new default retention of 180 days.

Both auditing types are crucial in maintaining security and compliance posture. By choosing the right level of auditing, organizations can ensure they have the tools to protect their data and comply with regulatory standards. Whether it’s the foundational support of Audit (Standard) or the advanced capabilities of Audit (Premium), Microsoft Purview offers a solution to meet the diverse needs of today’s digital landscape.

Unified Audit Log Features Comparison

A key aspect of UAL is its ability to record events from various workloads. These events can be searched and retrieved using the Search-UnifiedAuditLog cmdlet. This cmdlet is powerful, allowing for detailed queries and the retrieval of specific events from the vast amount of data collected.

UAL features two service levels: Standard and Premium. The standard service offers core auditing capabilities suitable for many organizations’ needs. It allows for recording user and admin activities, setting up and implementing audit log searches, and exporting, configuring, and viewing audit log records.

On the other hand, the Premium service provides advanced features, such as longer data retention, more detailed information on user activities, and access to the full suite of Microsoft’s security and compliance tools. This level is particularly useful for organizations with more complex security requirements or needing to adhere to stringent regulatory standards.

Feature	Audit (Standard)	Audit (Premium)
Enabled by Default	Yes	Yes
Searchable Audit Events	Thousands	Thousands
Search Tools	Audit log search in the Purview Compliance portal Search-UnifiedAuditLog cmdlet	Same as Standard, Plus: Ability to save searches
Export Audit Records	Yes	Yes
Access to Audit Logs	Office 365 Management Activity API	Same as Standard, Plus: Higher Bandwidth
Audit Log Retention	90-180 days	1 year for Exchange OneDrive, SharePoint 180 days for others
Additional Insights	No	Intelligent Insights for Exchange & SharePoint Online
10-Year Retention	Not available	Requires add-on license
Audit Log Retention Policies	Not available	Create custom policies for specific services, users, or activities
Retention Priority	Not available	Define priority levels for custom policies
Important Activity Properties	Access to basic properties	Access to additional properties requiring a Premium license

---

---

Before using the Unified Audit Log

Before starting to use the Unified Audit Log, you should know the scope, permissions, console, and other details. I shortened it to two sections: Planning and basic settings.

Planning

Standard and Premium tiers allow you to search audit logs for user and admin actions across various services. Since Standard is enabled by default for most scenarios, minimal setup is required to investigate activities.

Audit components

The audit requires two licensing components.

• Subscription Level: Your Tenant needs a Microsoft 365 subscription with access to the audit log tool.
• Per-User Licensing: Users need licenses to enable audit record generation and retention (A one-time action). These licenses determine the specific activities logged and the length of record retention.

Search and Export Permissions

• Searching and exporting audit logs require specific permissions within the compliance portal. Assigning the View-Only Audit Logs or Audit Logs role to admins and investigators grants them these capabilities.

Role Assignments

These roles are automatically assigned to pre-defined role groups:

• Audit Reader: Can search and view audit logs.
• Audit Manager: Can search, view, and export audit logs.

Customize Options

• Custom Role Groups: Add View-Only Audit Logs or Audit Logs roles to create custom role groups with the desired level of access.
• Exchange Admin Center: Permissions for enabling or disabling auditing and accessing audit cmdlets remain within the Exchange admin center. For this purpose, use the existing Audit Logs and View-Only Audit Logs roles (See the note below).

Note: Microsoft is changing access and managing Exchange Online audit logs. Starting April 30, 2024, Microsoft will be retiring the following four cmdlets in the Exchange Online V3 module.

Search and Export Permissions

To search or export audit logs in the compliance portal, administrators and investigators need to be assigned one of the following audit-related roles:

• Audit Manager: Can do everything related to audit logs.
• Audit Reader: Can only search and export existing audit logs.

Before starting the investigation, you should check a few settings and verify the integrity of the Unified Audit Log (UAL).

TIP: As part of the IR Readiness process, I ran a few checks to ensure UAL’s integrity alongside other log types.

Basic Configurations and Verification

TIP:You can create custom role groups by adding the View-Only Audit Logs or Audit Logs roles to a custom role group.

Set up Audit (Premium) 

• Audit (Premium) features, such as logging intelligent insights such as MailItemsAccessed and Send, require users to be assigned an appropriate E5 license. The Advanced Auditing app/service plan must also be enabled for those users.

Enable Audit (Premium)

• You can enable two Audit (Premium) events (SearchQueryInitiatedExchange and SearchQueryInitiatedSharePoint) to be logged when users perform searches in Exchange Online and SharePoint Online.
• To enable these two events to be audited for users, run the following command (for each user) in Exchange Online PowerShell:

Set-Mailbox user -AuditOwner @{Add=”SearchQueryInitiated”}

From that point, you should be able to run searches and start your investigations.

---

---

A Real-Life Behavior

So what’s under the hood? Many parts and the principles of all of them should be known and understood. Otherwise, your investigations won’t be fluent.

Activities and Property

Microsoft has tables that describe the activities that are audited in Microsoft 365. You can search for these activities by searching the audit log in the Microsoft Purview portal, Microsoft Purview compliance portal, and PowerShell.

These tables group related activities or activities from a specific service. They include the friendly name displayed in the Activities drop-down list or available in PowerShell and the name of the corresponding operation that appears in the detailed information of an audit record and the CSV file when you export the search results.

The table contains log types such as Microsoft 365 Applications, Entra, Compliance, Windows 365, Copilot, etc.

TIP: You can search the unified audit log for activities performed in different Microsoft 365 services. Not all the services allow you to search activities.

🔗 To the full list of all Audit log activities in Unified Audit log activities.

When you export the results of an audit log search from the Microsoft Purview portal or the Microsoft Purview compliance portal, you can download all the results that meet your search criteria. You can export this information by selecting Export results > Download all results on the Audit log search page. For more information, see Search the audit log.

When you export all results for an audit log search, the raw data from the unified audit log is copied and downloaded to a CSV file. This file contains additional property information from each audit activity record in an AuditData column. This column contains a multi-value property for multiple properties from the audit log record. Each property: value pairs in this multi-value property are separated by a comma.

🔗 For Detailed activity properties in the audit log, you should visit the table and understand the Property and Microsoft 365 service that has this property.

Audit Portal vs PowerShell

Like many other situations when using the portal, the PowerShell is much better for searches and investigations – PowerShell also wins in this situation.

Active and completed search jobs are displayed in the search job dashboard. The dashboard displays the following information for each search job:

• Search name: The name of the search job.
• Job status: The status of the search job.
• Progress: The percentage of the search job that has been completed.
• Search time: The total running time elapsed to complete the search job.
• Total results: The total number of results returned by the search job.
• Creation time: The date and time the search job was created.
• Search performed by: The account that created the search job.

What does it look like when searching the Audit portal? The results below are part of the searches and investigations. When diving into the logs, we can see a lot of information. The information is based on many parameters, such as Workload, Operations, Record Type, and other criteria.

MailItemsAccessed Scenario

The MailItemsAccessed action is part of the new Audit (Premium) functionality. It’s part of Exchange mailbox auditing and is enabled by default for users assigned a Microsoft 365 E5 license or other licenses. The MailItemsAccessed mailbox-auditing action covers all mail protocols: POP, IMAP, MAPI, EWS, Exchange ActiveSync, and REST. It also covers both types of mail access: sync and bind.

Using MailItemsAccessed audit records for forensics is typically performed after a data breach has been resolved and the attacker has been evicted. To begin your investigation, you should identify the set of mailboxes that have been compromised and determine the time frame when the attacker had access to mailboxes in your organization. Then, you can use the Search-UnifiedAuditLog to search audit records corresponding to the data breach.

While searching for the MailItemsAccessed via the Audit portal, you probably receive a lot of information. The big question is, how can you search for the root cause? The Audit portal can be complex.

Now, what does it look like in PowerShell? When searching with the command Search-UnifiedAuditLog, you can find valuable findings. The search criteria are the same as those for the audit portal, but you can run a better filter from PowerShell.

The same search for the MailItemsAccessed will result from the records.

The following PowerShell command finds the items.

Search-UnifiedAuditLog -Operations MailItemsAccessed -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date).AddDays(0)

You can export the result to a CSV file and extract additional information.

Keep in mind a few highlights about throttling:

• Mailbox is throttled only for Bind operations.
• Less than one percent of all mailboxes in Exchange Online are throttled.
• When a mailbox is throttling – only audit records for MailItemsAccessed activity aren’t audited.
• When a mailbox is throttling – other mailbox auditing actions aren’t affected.
• Sync operations that aren’t throttled will not be in the Audit records.
• If a mailbox is throttled, you can probably assume there was MailItemsAccessed activity that wasn’t recorded in the audit logs.

The scenario above is common, but if the mailbox was compromised?

MailItemsAccessed – Investigations behavior

Using MailItemsAccessed audit for forensics is typically performed after a data breach has been resolved and the attacker has been evicted. To begin your investigation, you should identify the set of mailboxes that have been compromised and determine the time frame when the attacker had access to mailboxes in your organization. Then, you can use the Search-UnifiedAuditLog or Search-MailboxAuditLog cmdlets in Exchange Online PowerShell to search audit records corresponding to the data breach.

The image below shows if throttled has occurred.

With the PowerShell command, we can run the following command and get more accurate results:

Search-UnifiedAuditLog -Operations MailItemsAccessed -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date).AddDays(0) | Where {$_.AuditData -like ‘*”IsThrottled”,”Value”:”True”*’} | fl

Search-UnifiedAuditLog -Operations MailItemsAccessed -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date).AddDays(0) | Where {$_.AuditData -like ‘*”IsThrottled”,”Value”:”False”*’} | ft UserIds, Operations, IsValid

You can add the Export-Csv command to export all actions to a CSV file:

| Export-Csv -Path “/Users/ellishlomo/Downloads/MailItemsAccessed.csv”

We can also check for sync activities. In this scenario, the attacker uses an email client to download messages. The attacker can disconnect the computer from the Internet and access the messages locally without interacting with the server. In this case, mailbox auditing couldn’t audit these activities. To search for MailItemsAccessed records where the mail items were accessed by a sync operation, run the following PowerShell command:

Search-UnifiedAuditLog -Operations MailItemsAccessed -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date).AddDays(0) | Where {$_.AuditData -like ‘*”MailAccessType”,”Value”:”Sync”*’} | fl UserIds, Operations, IsValid 

Audit Search Graph API

Microsoft announced the Microsoft Purview Audit Search Graph API. This API will allow Microsoft Purview Audit to programmatically search and retrieve relevant audit logs, improving search completeness, reliability, and performance. It is an improved alternative to the existing PowerShell cmdlet Search-UnifiedAuditLog.

With this new feature, you can expect faster search times, more complete search results, and a more robust and reliable search experience.

Highlights of the API with improvements over the existing Search-UnifiedAuditLog cmdlet are listed below:

• The API offers an asynchronous audit search experience with support for automation that is accessible for both users and applications.
• A more reliable Audit search experience with fewer timeouts and improved search completeness.
• New granular permissions have been introduced for the audit workloads, allowing you to grant workload-scoped access to your security admins for the first time.

Note: A new capability is currently in Public Preview and will be Generally Available by June 2024.

The new API allows you to scope access to Audit logs at a workload level for the first time. The following seven permissions have been introduced:

How can the Audit Search Graph API permissions be seen in the Graph Explorer tool?

To access the new Audit Log Query Graph API, you need to register your application with Microsoft Graph and add the relevant Graph permissions. Then, from the Microsoft Graph, go to the “Delegated Permissions” and search for the relevant permissions.

The way you have to work with the API to get data is:

List records – use this to see what logs are available. This step involves requesting the API endpoint that lists the available audit log records. This allows you to see and filter available logs based on criteria such as time range or log type.

Create auditLogQuery – a query to retrieve data you want to acquire. Once you understand the logs, you can create a specific query to retrieve the data you’re interested in. This query might specify parameters such as the time range, specific events or actions, users involved, etc.

auditLogQuery returns the data from the log query. After creating the audit log query, you request the API endpoint to execute the query and retrieve the data. This endpoint would return the query results, typically in a structured format such as JSON, which you can then process and analyze as needed.

---

---

The Little Things

The “little things” that every IR team should know when investigating with a Unified Audit Log can make the big differences between a fluency investigation and a complex one. Below are some highlights that can assist you before entering an investigation process. I’ve shortened the highlights to provide the most prominent ones.

Lack of Evidence isn’t Evidence of Lack

There are multiple ways to search the audit log: Microsoft Purview, Defender XDR, Exchange PowerShell cmdlet Search-UnifiedAuditLog, or Microsoft Graph. However, you may receive different results if you run the same search parameter using all those methods. Some bugs, gaps, or limitations exist in the Graph endpoints used to search the log.

Remember, if you search the audit log using Graph and don’t find any results, you may not be able to assume that the activity you’re looking for didn’t occur.

Note: Additionally, the Search-UnifiedAuditLog cmdlet allows you to search and retrieve data from the audit log.

Turn on by Default

UAL is a critical evidence piece for investigations in M365 environments, whether it’s an APT case, an Illicent Consent case, a
standard phishing case, or others. An important fact is that the UAL should be enabled by default. Several years ago, Microsoft stated they were default enabling the Unified Audit Log in all tenants. Recent documentation has shown that it is actually only for certain licensing levels.

TIP: The most important setting is the UnifiedAuditLogIngestionEnabled, but the others can provide additional information.

Audit logging is turned on by default for Microsoft 365 organizations. However, when setting up a new one, you should verify the organization’s auditing status.

---

---

The Next Things

Additional enhancements were recently released and coming soon.

In addition to the retention extension and newly available logs, we also have several new enhancements in Purview Audit recently released or coming soon that will help improve your experience:

• Granular Scoping with RBAC: Delegate role-based permissions to users or analysts in a granular way and access role-based information with Audit search results. 
• Audit Custom Activities Search: Admins can search for several audit log events using the custom search bar.
• Customized Retention Policies: Customers with the 10-Year Audit Log Retention add-on for Microsoft Purview Audit (Premium) can create additional customized retention policies. Customers with the Audit (Premium) SKU will have additional short-term retention policies available.
• Customized Retention Policies (long): New long-term retention policies for the 10-Year Audit Log Retention add-on for Microsoft Purview Audit (Premium).

---

---

References

The Investigate threats by using audit features in Microsoft Defender XDR and Microsoft Purview Standard module provides more information about how to search for audited activities using the Microsoft Purview Audit (UAL) solution, including how to export, configure, and view the audit log records that were retrieved from an audit log search.

Best Practices using the Search-UnifiedAuditLog cmdlet tool—The audit log records events from various workloads. The Search-UnifiedAuditLog cmdlet can search and retrieve data from the audit log.

Expanding audit logging and retention within Microsoft Purview for increased security visibility with a new default retention period for activity logs and new logs for increased security.