M365 Evidence Sources for Incident Response

Four evidence domains

An M365 incident produces evidence across four domains simultaneously. Every investigation touches at least two. Most touch all four. This section maps the landscape at a high level. Module 5 teaches each source in depth with worked forensic analysis.

Identity

Identity evidence records who authenticated, how, from where, and whether that authentication was legitimate or the result of a stolen credential.

The primary sources are the Entra ID sign-in logs. Four separate log tables exist, and most analysts only check one:

LOG TABLE                                WHAT IT RECORDS                              DEFAULT RETENTION
SigninLogs                               Interactive user sign-ins (password + MFA)    30 days
AADNonInteractiveUserSignInLogs          Token refreshes, SSO, background auth         30 days
AADServicePrincipalSignInLogs            Service principal authentication              30 days
AADManagedIdentitySignInLogs             Managed identity authentication               30 days

The 30-day native retention applies to all four tables. If the attacker created a service principal on day 1 and your SOC detected the compromise on day 35, the service principal's initial sign-in evidence is gone unless Sentinel was ingesting AADServicePrincipalSignInLogs. Most Sentinel deployments ingest SigninLogs but not the other three tables. Module 3 covers the diagnostic settings configuration to close this gap.

The Entra ID audit log records directory changes: user creation, role assignment, app registration, service principal credential addition, Conditional Access policy modification, group membership changes. This is the evidence source for persistence and privilege escalation. Same 30-day native retention.

Email

Email evidence records what the attacker did with compromised mailboxes.

MailItemsAccessed proves which emails the attacker read. Two operation types: bind (individual item access) and sync (folder-level synchronization). MailItemsAccessed throttles under load, aggregating multiple access events into fewer records grouped by SessionId. This doesn't destroy evidence but compresses it, making scoping more complex. Critical licensing dependency: MailItemsAccessed requires E5 or the Audit Premium add-on. E3 tenants do not have this evidence source. In an E3 investigation, you cannot definitively prove which emails the attacker accessed.

Mailbox audit log records administrative and owner actions on mailboxes: inbox rule creation (New-InboxRule), forwarding changes (Set-Mailbox), delegate permission modifications, and email deletion (HardDelete, SoftDelete). Retained for 90 days.

Message trace records email delivery: sender, recipient, subject, delivery status, routing path. Available for 10 days in the Exchange admin center, 90 days via extended trace report. The evidence that confirms whether the BEC email was actually delivered to the recipient.

Unified Audit Log (UAL) is the central audit repository. It records events across Exchange, SharePoint, OneDrive, Entra ID, Teams, Power Platform, and more. Default retention changed from 90 to 180 days in October 2023 for all tiers. E5 tenants get one year for Exchange, SharePoint, and Entra ID activity. Up to 10 years with the audit log retention add-on. Searchable via PowerShell (Search-UnifiedAuditLog) or the Purview compliance portal. Note: PowerShell searches via Search-UnifiedAuditLog can access up to 365 days of data in practice, even on non-E5 tenants, though the Purview portal UI enforces the documented retention limits.

Files and collaboration

SharePoint and OneDrive audit logs record file access, download, upload, sharing link creation, external sharing, and deletion. Key operations: FileDownloaded, FileUploaded, AnonymousLinkCreated, SharingSet, FileDeleted. In Sentinel, these appear as OfficeActivity records with SharePoint record types. In Defender XDR, they're queryable through CloudAppEvents.

Teams evidence is recorded in the UAL and in OfficeActivity. Message sends, file shares through Teams channels, meeting joins, and external user additions all produce audit records. Teams-based phishing, where the attacker sends malicious links via Teams messages from a compromised internal account, is a growing initial access vector and the evidence lives in these tables.

Directory

The Entra ID audit log (same source as identity, different record categories) records configuration changes: OAuth consent grants, app registrations, service principal credential additions, role assignments, Conditional Access policy modifications, federation trust changes. This is where you find the persistence mechanisms that survive password resets and session revocation. Same 30-day native retention.

Query surfaces

Microsoft Sentinel ingests identity logs, audit logs, and OfficeActivity into Log Analytics tables queryable with KQL. Sentinel extends retention beyond native limits (configurable up to 730 days) and provides the cross-source correlation surface for investigation. If your organization runs Sentinel, it is your primary investigation workspace.

Defender XDR Advanced Hunting provides access to email-specific tables (EmailEvents, EmailUrlInfo, EmailAttachmentInfo) and Defender for Identity tables (IdentityLogonEvents, IdentityDirectoryEvents) that Sentinel doesn't have natively. Advanced Hunting is your email investigation surface and provides additional identity telemetry from Defender for Identity.

If you have both Sentinel and Defender XDR, you have the complete investigation surface. If you have only one, you can still investigate. The course provides queries for both platforms.

What disappears first

The retention clocks are always running. The first action in any M365 investigation is evidence preservation: export the UAL, snapshot sign-in logs via Graph API, place litigation holds on affected mailboxes.

EVIDENCE SOURCE                  DEFAULT RETENTION              EXTENDED OPTIONS
Entra ID sign-in logs (all 4)   30 days                        Sentinel ingestion (up to 730 days)
Entra ID audit logs              30 days                        Sentinel ingestion (up to 730 days)
MailItemsAccessed                180 days (E5/Audit Premium)    10-year retention add-on
Mailbox audit log                90 days                        No extension available
Message trace                    10 days (basic)                90 days (extended report)
Unified Audit Log                180 days (all tiers)           1 year (E5), 10 years (add-on)
SharePoint/OneDrive audit        180 days (all tiers)           1 year (E5), 10 years (add-on)
Sentinel workspace               90 days (default)              Configurable up to 730 days

The 30-day sign-in log retention is the most dangerous gap. Detect an incident on day 31 and the authentication evidence for the initial compromise is gone. Module 3 teaches the logging configuration that prevents this. Module 4 teaches the evidence preservation procedure you execute in the first hour of every investigation.

Section 0.5 covers the tools you'll use to query, collect, and analyze this evidence.