Detect Microsoft Support Activity in Tenant (No Customer Lock Box)

Hi everyone,

I am currently working with a customer on a detection to track Microsoft Support Case activities in the customers tenant.
The customer is currently checking the M365 Audit Log for certain matches on the "UserId" attribute.

• UserId=*@microsoft.com

• OR UserId="BoxServiceAccount"

• OR UserId="Microsoft Operator"

The key value pairs were provided by Microsoft!

Now they had an active case and access to the tenant last week, but could not find anything in the audit log. Support personell used an *@office365support.com domain account for access.
Adding domains to the detection might not be the smartest (convenient) solution...

Is there just no entry in the M365 Audit Log if "Customer Key" is not licensed?
From the MSFT-Docs i can find a quiet similar query to use when Customer Key is enabled.

Customer Lockbox requests - Microsoft Purview (compliance) | Microsoft Docs

Thanks / Regards
John