Dec 01 2018 04:19 AM
We feed the Office 365 audit log into IBM QRadar for additional analysis, together with logs from firewalls, domain controllers etc.
If EOP puts an email into user quarantine or removes a email due to malware, does this event get written into the Office 365 audit log?
Dec 01 2018 07:11 AM
No. The audit log includes data from the Exchange admin audit log and mailbox level auditing, none of these include EOP events or mail flow in general. It's documented here: https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-c...
If you want to include such events, look into the mail flow data you can obtain via Get-Message trace or the good old reporting web service.
Dec 01 2018 10:46 AM