A security analyst needs to query Microsoft 365 audit logs to find all activities where a user deleted a file from SharePoint Online in the last 24 hours. Which tool should they use?
Provides native audit log search capabilities.
Why this answer
Microsoft Purview compliance portal audit search is the correct tool because it provides a dedicated, searchable interface for querying the Microsoft 365 unified audit log. This log records all user and admin activities, including file deletions from SharePoint Online, and supports time-based filters (e.g., last 24 hours) to retrieve specific events. It is purpose-built for compliance and security investigations without requiring additional licensing or complex scripting.
Exam trap
The trap here is that candidates may confuse Microsoft Sentinel (a SIEM) with a simple audit log search tool, but Sentinel is designed for advanced threat detection and correlation, not for direct, ad-hoc queries of the unified audit log without additional setup.
How to eliminate wrong answers
Option A is wrong because Microsoft Sentinel is a cloud-native SIEM that ingests audit logs from multiple sources, but it requires additional licensing and configuration to query Microsoft 365 audit logs; it is not the direct tool for a simple audit log query. Option C is wrong because Microsoft Graph PowerShell can retrieve audit log data via cmdlets like Search-UnifiedAuditLog, but it requires PowerShell scripting and module installation, making it less straightforward than the Purview portal for a one-off query. Option D is wrong because Microsoft Defender for Cloud Apps focuses on cloud app discovery, session controls, and anomaly detection, not on directly querying the unified audit log for historical file deletion events.