The Office 365 audit log is a rich source of forensic information. This article explains how to use a script running under Azure Automation with the Exchange Online management V3 PowerShell module and a managed identity to search the log for high-priority events, which is something that you might want to do to detect situations where attackers might have compromised your tenant and performed actions like create a new connector or transport events.
https://practical365.com/azure-automation-managed-identity-exchange/
