M365 Investigations: Audit, Search & Graph | Guided by A Guide to Cloud

The M365 investigation toolkit

Simple explanation

Your investigation has traced the attack to Microsoft 365. The attacker used a compromised account to read emails, access SharePoint files, and change admin settings. Now you need to find exactly what they did.

Three tools help you investigate M365 activity:

Purview Audit — who did what, when, and where across M365 services
Content Search — find specific emails, files, or Teams messages matching your criteria
Microsoft Graph activity logs — what API calls were made (especially by apps and automations)

Purview Audit

What Audit captures

Service	Example Events
Exchange Online	Email sent, received, deleted, forwarded; mailbox permission changes; inbox rules created
SharePoint / OneDrive	Files viewed, downloaded, shared, deleted; site permission changes
Teams	Messages sent, deleted; meetings created; guest access changes
Entra ID	Sign-ins, password resets, MFA registrations, group membership changes
Power Platform	Power Automate flows created/modified, Power Apps published

Standard vs Premium Audit

Premium Audit provides longer retention and critical investigation events
Feature	Standard Audit	Premium Audit
Retention	180 days	1 year (configurable up to 10 years)
Events	Common user and admin activities	All Standard events + high-value events (MailItemsAccessed, Send, SearchQueryInitiatedExchange)
Key premium event	N/A	MailItemsAccessed — shows exactly which emails were read by a compromised account
Licence	Microsoft 365 E3/A3/G3	Microsoft 365 E5/A5/G5 or E5 Compliance add-on
Investigation value	Good for general investigations	Essential for BEC and data breach investigations

Exam tip: MailItemsAccessed is Premium only

MailItemsAccessed is the most important Premium Audit event for SOC analysts. It records every time an email is accessed — by the user, by an app, or by an attacker.

If the exam describes a scenario where you need to determine “which emails a compromised account read,” the answer requires Premium Audit with the MailItemsAccessed event. Standard Audit does not capture this level of detail.

Investigation workflow with Audit

Define your search — which user(s), which time period, which activities
Search Audit logs — filter by activity type (e.g., FileDownloaded, MailItemsAccessed, InboxRuleCreated)
Review results — who did what, when, from which IP address, using which app
Export for analysis — download results as CSV for detailed review
Correlate with other signals — match Audit findings with Defender XDR alerts

Scenario: James investigates a BEC attack using Audit

James at Pacific Meridian is investigating a business email compromise. The attacker used a compromised exec account for 3 days before detection.

Audit search results:

MailItemsAccessed — attacker read 340 emails, primarily from Finance and Legal folders
InboxRuleCreated — attacker created a rule forwarding emails containing “wire transfer” to an external address
FileDownloaded — attacker downloaded 15 files from the “Executive Strategy” SharePoint site
MessageSent — attacker sent 3 emails impersonating the exec requesting wire transfers

James now knows exactly what the attacker accessed and can begin data breach notification assessment.

Full investigation workflow: joining all three tools

In real investigations, you often need all three tools together. Here is how they connect:

Scenario: James investigates a suspected data breach

Day 1 alert: Defender XDR flags a suspicious OAuth app accessing executive mailboxes.

Step 1: Purview Audit — what did the attacker do?

James searches Audit logs for the compromised executive:

MailItemsAccessed (Premium) → 340 emails read, mostly Finance and Legal folders
InboxRuleCreated → forwarding rule to external-drop@protonmail.com
FileDownloaded → 15 files from “Executive Strategy” SharePoint library
Consent granted → OAuth app “Outlook-Sync-Pro” given Mail.ReadWrite + Files.Read.All

Step 2: Content Search — what data was exposed?

James uses Content Search to find the actual content:

Search: from:cfo@pacificmeridian.com AND (subject:"wire transfer" OR subject:"payment") → 12 emails containing bank account numbers
Search: filename:"Executive Strategy" in SharePoint → 15 files including M&A plans and board materials
These results go to Legal for data breach notification assessment

Step 3: Graph activity logs — what did the OAuth app do?

James filters Graph logs by the malicious app ID:

1,200 GET /me/messages calls → reading all emails programmatically
45 GET /me/drive/root/children calls → listing OneDrive structure
12 GET /me/drive/items/{id}/content calls → downloading specific files

The complete picture: A malicious OAuth app gained access via consent phishing, read 340 emails (some containing financial data), downloaded 15 strategic documents, and created a forwarding rule for ongoing exfiltration. The Audit tells James what happened, Content Search tells him what data was exposed, and Graph logs tell him how the app operated.

Content Search

Content Search finds specific content across M365 — emails, documents, Teams messages.

When to use Content Search

Scenario	How Content Search Helps
Find a phishing email	Search all mailboxes for emails from a specific sender or containing a specific URL
Locate sensitive documents	Search SharePoint/OneDrive for files matching keywords or sensitivity labels
Recover deleted messages	Search recoverable items (soft-deleted content) in Exchange
Compliance investigation	Find all content matching specific criteria for legal hold or eDiscovery

Search syntax

Content Search uses Keyword Query Language (KQL) — but note this is NOT the same KQL as Kusto Query Language used in Sentinel and Advanced Hunting. They share the acronym but are completely different languages. Content Search KQL uses property-value syntax:

from:attacker@evil.com — emails from a specific sender
subject:"invoice payment" — emails with a specific subject
filename:payload.exe — files with a specific name
sent>=2026-04-01 AND sent<=2026-04-15 — emails within a date range

Microsoft Graph activity logs

Graph activity logs record all API requests made to Microsoft Graph — the API that connects Microsoft 365 services.

Why Graph logs matter for investigations

Most modern attacks use the Microsoft Graph API directly:

OAuth app abuse — malicious apps use Graph to read emails and files
Automation abuse — compromised Power Automate flows use Graph to exfiltrate data
Administrative attacks — attackers use Graph to modify user settings, group memberships, or Conditional Access policies

What Graph logs capture

Field	What It Shows
RequestId	Unique identifier for the API call
AppId	Which application made the call
UserId	Which user context (or service principal)
ResourceUri	Which Graph endpoint was called (e.g., `/me/messages`, `/users/{id}/drive`)
HttpMethod	GET, POST, PATCH, DELETE
ResponseStatusCode	Did the call succeed (200) or fail (403, 404)?
IPAddress	Where the call came from

Scenario: Elena investigates a suspicious OAuth app using Graph logs

Elena at Atlas Bank follows up on the consent phishing attack from Module 16. The malicious “DocuSign-Verify” app was revoked, but Elena needs to know exactly what it accessed.

Graph activity log search:

AppId matches the malicious app
1,200+ GET /me/messages calls — reading all emails from 3 finance users
45 GET /me/drive/root/children calls — listing OneDrive file structure
12 GET /me/drive/items/{id}/content calls — downloading specific files

Elena correlates the file IDs with OneDrive audit logs to identify exactly which files were exfiltrated. This information goes to the legal and compliance team for breach assessment.

Question

What is the most important Premium Audit event for investigating BEC attacks?

Click or press Enter to reveal answer

Answer

MailItemsAccessed — it records every time an email is accessed (read) by a user, app, or attacker. It shows exactly which emails a compromised account viewed. This event is only available with Premium Audit (E5 licence).

Click to flip back

Question

What are the three M365 investigation tools and when to use each?

Click or press Enter to reveal answer

Answer

1. Purview Audit — who did what, when (user/admin activity logs across M365). 2. Content Search — find specific emails, files, or messages matching criteria (KQL queries). 3. Microsoft Graph activity logs — what API calls were made (app-level operations, OAuth abuse, automation).

Click to flip back

Question

Why are Microsoft Graph activity logs important for investigating OAuth attacks?

Click or press Enter to reveal answer

Answer

Malicious OAuth apps use the Graph API to access user data. Graph logs show exactly which API calls the app made — what endpoints it hit (messages, files, calendar), how many calls it made, and from which IP. This reveals the scope of data access during consent phishing attacks.

Click to flip back

Knowledge Check

James needs to determine exactly which emails a compromised executive account read during a 3-day BEC attack. What does he need?

Knowledge Check

Elena discovers that a malicious OAuth app made 1,200 Graph API calls to '/me/messages' on behalf of 3 users. Which investigation tool revealed this?

Knowledge Check

James is investigating a BEC attack where the attacker used a compromised executive account for 3 days. He needs to determine exactly which emails were read, which files were downloaded from SharePoint, and which Graph API calls a suspicious OAuth app made. Which combination of tools gives him the COMPLETE picture?

🎬 Video coming soon

Next up: Domain 2 is complete! We shift to Domain 3: Perform Threat Hunting — proactive searching for threats that your detections missed. We start with KQL foundations.