Note that this requires the customer to have the Unified Audit Logging feature enabled. 

This is enabled by default on tenants created after 2020; for those created before 2020 you need to enable it.

1. Log in as a GA – NB: not available via partner centre
2. Open the complaince centre / purview – https://compliance.microsoft.com/homepage
3. Solutions -> Audit
   If you see a blue bar that says “click here to enable unified audit logging” the feature is not enabled. Please enable it now and you won’t be able to do any further analysis. 
4. Create a search for the specific user and timeframe you are interested in. Use the sign in logs for the user to determine the initial attack time.
   Note this is UTC so you need to subtract at least 10 hours; i normally do 12-18.
5. Download the resulting CSV file. 

This CSV file will contain 4 columns – the one you are mostly interested in is the AuditData column; however this is stored in JSON format. 

1. Easiest way of handling this is to turn the data into a table. Select all of your data then Home -> Format as Table
2. Open PowerQuery with Data -> From Table/Range
3. Hilight the AuditData Column 
4. Transform -> Parse -> As JSON
   The column will now show “Record” instead of text data
   Expand the AuditData column using the <-> arrows in the header
5. Repeat for any other columns that have a “List” or “Record”
6. Return to Excel with Home -> Close & Load
7. Create a Pivot Table Table Design -> Summarise with Pivor Table
8. Add “Operation” to “Rows” and Values
   You should now have a table that looks like the following
9. Particular items of itnerest are New-InboxRules, Create (This is New Emails) and any Hard Deletes.