Forum Discussion
Calum Steen
Dec 01, 2018Brass Contributor
Do EOP actions create entries in the Office 365 audit log?
We feed the Office 365 audit log into IBM QRadar for additional analysis, together with logs from firewalls, domain controllers etc.
If EOP puts an email into user quarantine or removes a email due to malware, does this event get written into the Office 365 audit log?
- Use the Office 365 REST reporting web service.
https://docs.microsoft.com/en-us/previous-versions/office/developer/o365-enterprise-developers/jj984325(v=office.15)
This should have the reports you are looking for. They are not in the audit log.
https://docs.microsoft.com/en-us/previous-versions/office/developer/o365-enterprise-developers/jj984342%28v%3doffice.15%29
Best, Chris No. The audit log includes data from the Exchange admin audit log and mailbox level auditing, none of these include EOP events or mail flow in general. It's documented here: https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-compliance?redirectSourcePath=%252fen-US%252farticle%252fSearch-the-audit-log-in-the-Office-365-Protection-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c
If you want to include such events, look into the mail flow data you can obtain via Get-Message trace or the good old reporting web service.