Forum Discussion

BM-HV's avatar
BM-HV
Copper Contributor
Jan 22, 2026

How do I import Purview Unified Audit Log data related to the use of the Audit Log into Sentinel?

Dear Community, I would like to implement the following scenario on an environment with Microsoft 365 E5 licenses:

Scenario: I want to import audit activities into an Azure Log Analytics workspace linked to Sentinel to generate alerts/incidents as soon as a search is performed in the Microsoft 365 Purview Unified Audit Log (primarily for IRM purposes).

Challenge: Neither the "Microsoft 365" connector, nor the "Defender XDR" or "Purview" (which appear to be exclusively Azure Purview) connectors are importing the necessary data.

Question: Which connector do I have to use in order to obtain Purview Unified Audit Log activities about the use of the Purview Unified Audit Log so that I can identify... 

...which user conducted when an audit log search and with what kind of search query.

Thank you!

content
data collection

1 Reply

  • Caleb_A_McDowell's avatar
    Caleb_A_McDowell
    Brass Contributor
    Mar 02, 2026

    The reason none of those connectors work for this specific use case is that "audit log search" activities fall under the SecurityComplianceCenter workload in the unified audit log. The standard Microsoft 365 (Office 365) connector in Sentinel only ingests three workloads: Exchange, SharePoint, and Teams. SecurityComplianceCenter activities don't flow into the OfficeActivity table through that connector.

    The operation you're looking for is called SearchedAuditLog (and related operations like SearchedMailbox). These record when someone runs a search in the Purview audit log, including the user identity, timestamp, and search parameters.

    How to get this data into Sentinel

    Your best path is the Office 365 Management Activity API, subscribing to the Audit.General content type. This content type captures Security & Compliance Center activities that the built-in Sentinel connectors don't cover. You ingest the data into a custom Log Analytics table using one of these methods:

    1. Azure Function + Data Collection Rule. Build a lightweight Azure Function that polls the Management Activity API on a schedule, filters for RecordType = SecurityComplianceCenterEOPCmdlet (record type 18), and pushes the results into your Log Analytics workspace via the Logs Ingestion API. This is the most common approach for production environments.
    2. Logic App. Same concept, less code. Use the HTTP connector to call the Management Activity API and the Log Analytics data collector action to write the records.

    Once the data lands in your custom table, build your analytics rule to fire on SearchedAuditLog operations. The AuditData payload contains the search query parameters, the user who ran the search, and the time range they searched.

    Quick validation before building the pipeline

    Confirm the events exist in your tenant by running this in Exchange Online PowerShell:

    powershell

    Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -RecordType SecurityComplianceCenterEOPCmdlet -Operations SearchedAuditLog -ResultSize 10

    If that returns results, you know the data is there and just needs a pipeline into Sentinel.

    References:

    • https://learn.microsoft.com/office/office-365-management-api/office-365-management-activity-api-reference
    • https://learn.microsoft.com/azure/azure-monitor/reference/tables/officeactivity

    Please mark as solution, if you find the answer helpful. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided. 🖖