query_ual
ActiveTool of com.blackveilsecurity/dns
Query the Microsoft 365 Unified Audit Log for a tenant. Optionally filter by operation type, user, or lookback window. Requires m365Proxy service binding; returns { unprovisioned: true } when absent. A `representative: true` field in the response marks sample (non-live) data until live Graph reads land.
Parameters schema
{
"type": "object",
"required": [
"ms_tenant_id"
],
"properties": {
"operation": {
"type": "string",
"maxLength": 200,
"description": "Filter to a specific Unified Audit Log operation (e.g., \"MailItemsAccessed\")."
},
"since_hours": {
"type": "integer",
"maximum": 720,
"minimum": 1,
"description": "Lookback window in hours (default: 24, max: 720)."
},
"ms_tenant_id": {
"type": "string",
"maxLength": 200,
"minLength": 1,
"description": "Microsoft Entra tenant ID (GUID or domain)."
},
"user_principal_name": {
"type": "string",
"maxLength": 254,
"description": "Filter to a specific user (UPN). Omit for all users."
}
}
}No endpoints wrapped at confidence ≥ 0.50.
Parent server
com.blackveilsecurity/dns
https://github.com/MadaBurns/bv-mcp
2/7 registries