The Unified Audit Log is a critical piece of evidence in identity compromise investigations because it is a centralized source for all Microsoft 365 events. The UAL contains at least (236) categories of data, including events from Azure, Exchange, SharePoint, OneDrive, and Teams.
The Graph API is considered superior to the Exchange Online PowerShell method for acquiring Unified Audit Log (UAL) data for several reasons:
- Efficiency in Fetching Data: The Graph API can fetch data more efficiently without requiring extensive looping, unlike the
search-unifiedauditlogcmdlet, which is restricted to extracting only 5000 records at a time. - Performance with Large Volumes: As the volume of records increases, the Graph API’s performance is expected to improve due to its more efficient data retrieval capabilities. This contrasts with the
search-unifiedauditlogcmdlet, where execution time increases with more iterations needed for larger datasets. - Consistency in Data Volume: In testing, the Graph API consistently returned the same data volume for the same queries, whereas the
search-unifiedauditlogmethod yielded varying event counts. This consistency is crucial for reliable data analysis and auditing.
Note: A Client Global Administrator or Cloud Application Administrator (least privileged) must consent to this URL to authorize this application.
This form will start a Unified Audit Log search. The retrieved records will be sent to Azure Data Explorer for analysis. Searches typically take 5-20 minutes depending on the amount of records received.