Group Purchasing
Group Purchasing

What Your M365 Logs Are Not Telling You

What Your M365 Logs Are Not Telling You (PDF, 0.39MB)Published: 08 Jul, 2026
Created by:

Most security teams assume their M365 telemetry is flowing because the Unified Audit Log is on. In practice, five separate configuration surfaces each have their own portal, RBAC, and failure mode, and none of them know about the others. Teams, Power Platform, and Copilot audit activity disappear silently when Audit.General goes unsubscribed. Entra ID sign-in logs never reach the SIEM when diagnostic settings are never configured. OfficeActivity covers roughly 40% of UAL activity by default, but nothing in the data signals that the rest is missing. Cloud threat detection depends on knowing what is actually flowing into your tooling and where the gaps are. This cheat sheet is a practical companion for security analysts and detection engineers working in Microsoft environments, and pairs directly with the skills and detection methodology taught in SEC541: Cloud Security Threat Detection.

What's Inside

  • The five M365 configuration surfaces mapped to their controls, where each is managed, and the specific gap that appears when each one is misconfigured
  • 11 log tables including OfficeActivity, CloudAppEvents, SignInLogs, and GraphApiAuditEvents mapped to platform, source, license requirement, retention window, and coverage percentage
  • Three collection paths for the same event, using MailItemsAccessed as the reference case, with callouts on how each path produces different coverage, latency, and schema
  • PowerShell commands to verify UAL ingestion, per-mailbox audit configuration, and Mgmt Activity API subscription status
  • A blind spot checklist covering configuration, coverage, and retention gaps, including schema gotchas that affect detection logic

Who This Is For

Security analysts, detection engineers, and threat hunters who work in Microsoft environments and need to verify that their SIEM is collecting what they think it is. Particularly useful for teams building or auditing detections against M365 data sources, or anyone preparing for or responding to an incident where log completeness is in question.

Meet Your Author

Lydia Graslie
Lydia Graslie

Lydia Graslie

Lydia Graslie is a Senior Threat Research Engineer at Sysdig, where she focuses on cloud threat detection across Azure and SaaS environments.

Read more about Lydia Graslie