query_ual
Query the Microsoft 365 Unified Audit Log to retrieve tenant audit events. Optionally filter by operation, user, or lookback window for targeted investigations.
Instructions
Query the Microsoft 365 Unified Audit Log for a tenant. Optionally filter by operation type, user, or lookback window. Requires m365Proxy service binding; returns { unprovisioned: true } when absent. A representative: true field in the response marks sample (non-live) data until live Graph reads land.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| operation | No | Filter to a specific Unified Audit Log operation (e.g., "MailItemsAccessed"). | |
| since_hours | No | Lookback window in hours (default: 24, max: 720). | |
| ms_tenant_id | Yes | Microsoft Entra tenant ID (GUID or domain). | |
| user_principal_name | No | Filter to a specific user (UPN). Omit for all users. |