Forum Discussion

BM-HV's avatar
BM-HV
Copper Contributor
Jan 22, 2026

How do I import Purview Unified Audit Log data related to the use of the Audit Log into Sentinel?

Dear Community, I would like to implement the following scenario on an environment with Microsoft 365 E5 licenses: Scenario: I want to import audit activities into an Azure Log Analytics workspace l...
content
data collection
Caleb_A_McDowell's avatar
Caleb_A_McDowell
Brass Contributor
Mar 02, 2026

The reason none of those connectors work for this specific use case is that "audit log search" activities fall under the SecurityComplianceCenter workload in the unified audit log. The standard Microsoft 365 (Office 365) connector in Sentinel only ingests three workloads: Exchange, SharePoint, and Teams. SecurityComplianceCenter activities don't flow into the OfficeActivity table through that connector.

The operation you're looking for is called SearchedAuditLog (and related operations like SearchedMailbox). These record when someone runs a search in the Purview audit log, including the user identity, timestamp, and search parameters.

How to get this data into Sentinel

Your best path is the Office 365 Management Activity API, subscribing to the Audit.General content type. This content type captures Security & Compliance Center activities that the built-in Sentinel connectors don't cover. You ingest the data into a custom Log Analytics table using one of these methods:

  1. Azure Function + Data Collection Rule. Build a lightweight Azure Function that polls the Management Activity API on a schedule, filters for RecordType = SecurityComplianceCenterEOPCmdlet (record type 18), and pushes the results into your Log Analytics workspace via the Logs Ingestion API. This is the most common approach for production environments.
  2. Logic App. Same concept, less code. Use the HTTP connector to call the Management Activity API and the Log Analytics data collector action to write the records.

Once the data lands in your custom table, build your analytics rule to fire on SearchedAuditLog operations. The AuditData payload contains the search query parameters, the user who ran the search, and the time range they searched.

Quick validation before building the pipeline

Confirm the events exist in your tenant by running this in Exchange Online PowerShell:

powershell

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -RecordType SecurityComplianceCenterEOPCmdlet -Operations SearchedAuditLog -ResultSize 10

If that returns results, you know the data is there and just needs a pipeline into Sentinel.

References:

  • https://learn.microsoft.com/office/office-365-management-api/office-365-management-activity-api-reference
  • https://learn.microsoft.com/azure/azure-monitor/reference/tables/officeactivity

Please mark as solution, if you find the answer helpful. This will assist others in the community who encounter a similar issue, enabling them to quickly find the solution and benefit from the guidance provided. 🖖