The Unified Audit Log, as the name implies, is a log file in which different activities performed in and through Microsoft 365 are recorded.
Including the entire list would take up too much space. Still, information within the log includes amongst other things: user and admin activity in Exchange Online, SharePoint Online, OneDrive for Business, Power BI, Microsoft Teams, Stream, Power Apps, etc.
The log contains a lot of useful information that you can use for various activities related to your security operations. It can be used to:
- To monitor user behaviour and detect suspicious activities
- Perform forensic investigations into actions related to an incident
- Monitor specific use cases in your environment through various platforms like Microsoft 365 Defender, Microsoft Defender for Cloud Apps, Azure Monitor, and Microsoft Sentinel.
To enable it through the Microsoft Security Center, navigate to Audit. If the log search is off, then this option should be present. Turning it on is as easy as clicking Turn on auditing.
Alternatively, connect to Exchange Online PowerShell and run the following script. It checks whether the log is already enabled. If it isn’t, it will do so.
if((Get-AdminAuditLogConfig).UnifiedAuditLogIngestionEnabled -ne "True"){
Write-Host "Enabling the Unified Audit Log."
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True }else{
Write-Host "The Unified Audit Log was already enabled."
}
