You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/auditing.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -17,7 +17,7 @@ ms.custom:
17
17
- cx-ti
18
18
- cx-dex
19
19
search.appverid: met150
20
-
ms.date: 10/30/2024
20
+
ms.date: 01/14/2025
21
21
---
22
22
23
23
# Auditing
@@ -28,7 +28,7 @@ ms.date: 10/30/2024
28
28
29
29
As a tenant administrator, you can use Microsoft Purview to search the audit logs for the times Microsoft Defender Experts signed into your tenant and the actions they did there to perform their investigations. You can also search the audit logs for the changes done by your tenant administrators to the Defender Experts settings.
30
30
31
-
[Audit (Standard)](/microsoft-365/compliance/audit-solutions-overview)is turned on by default for all Microsoft Defender Experts for XDR customers when paid licenses are assigned to the tenant. If you have a trial license, work with your service delivery manager to turn on Audit if it isn't yet.
31
+
Auditing is automatically turned on in the Microsoft Defender portal. Features that are audited are logged in the audit log automatically. Auditing can also collect audit logs from GCC environments.
32
32
33
33
> [!NOTE]
34
34
> Make sure you have the right [permissions](/microsoft-365/compliance/audit-log-search#before-you-search-the-audit-log) to search for audit logs.
Copy file name to clipboardExpand all lines: defender-xdr/microsoft-xdr-auditing.md
+22-30Lines changed: 22 additions & 30 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
---
2
2
title: Search the audit log for events in Microsoft Defender XDR
3
-
description: Learn about the Microsoft Defender XDR activities that are logged in the Microsoft 365 audit log.
3
+
description: Learn how to use the audit log to search for Microsoft Defender XDR activities to help with investigation.
4
4
ms.service: defender-xdr
5
5
ms.author: diannegali
6
6
author: diannegali
@@ -10,21 +10,21 @@ audience: ITPro
10
10
ms.collection:
11
11
- m365-security
12
12
- tier3
13
-
ms.topic: overview
14
-
ms.date: 08/14/2024
13
+
ms.topic: how-to
14
+
ms.date: 01/14/2025
15
15
search.appverid: met150
16
+
appliesto:
17
+
- Microsoft Defender for Endpoint Plan 2
18
+
- Microsoft Defender XDR
19
+
20
+
#customer intent: As a SOC analyst, I want to learn how to use the audit log to search for Microsoft Defender XDR activities to help with investigation.
16
21
---
17
22
18
23
# Search the audit log for events in Microsoft Defender XDR
The audit log can help you investigate specific activities across Microsoft 365 services. In the Microsoft Defender portal, Microsoft Defender XDR and Microsoft Defender for Endpoint activities are audited. Some of the activities audited are:
27
+
The audit log helps you investigate specific activities across Microsoft 365 services. In the Microsoft Defender portal, Microsoft Defender XDR and Microsoft Defender for Endpoint activities are audited. Some of the activities audited are:
28
28
29
29
- Changes to data retention settings
30
30
- Changes to advanced features
@@ -36,33 +36,25 @@ The audit log can help you investigate specific activities across Microsoft 365
36
36
37
37
For a complete list of Microsoft Defender XDR activities that are audited, see [Microsoft Defender XDR activities](#microsoft-defender-xdr-activities) and [Microsoft Defender for Endpoint activities](#microsoft-defender-for-endpoint-activities).
38
38
39
-
## Requirements
39
+
Auditing is automatically turned on for Microsoft Defender XDR. Features that are audited are logged in the audit log automatically. Auditing can also collect audit logs from GCC environments.
40
+
41
+
## Prerequisites
40
42
41
43
To access the audit log, you need to have the **View-Only Audit Logs** or **Audit Logs** role in Exchange Online. By default, those roles are assigned to the Compliance Management and Organization Management role groups.
42
44
43
45
> [!NOTE]
44
46
> Global administrators in Office 365 and Microsoft 365 are automatically added as members of the Organization Management role group in Exchange Online.
45
47
46
-
## Turn on auditing in Microsoft Defender XDR
47
-
48
-
Microsoft Defender XDR uses the [Microsoft Purview auditing solution](/purview/audit-solutions-overview), before you can look at the audit data in the Microsoft Defender XDR portal:
49
-
50
-
- You should confirm that auditing is turned on in the Microsoft Purview compliance portal. For more information, see [Turn auditing on or off](/purview/audit-log-enable-disable).
51
-
52
-
- Follow the steps below to enable the unified audit log in the Microsoft Defender XDR portal:
53
-
1. Log in to [Microsoft Defender XDR](https://security.microsoft.com/homepage) using an account with the Security administrator or Global administrator role assigned.
54
-
2. In the navigation pane, select **Settings**\>**Endpoints**\>**Advanced features**.
55
-
3. Scroll own to **Unified audit log** and toggle the setting to **On**.
56
-
57
-
:::image type="content" source="/defender/media/defender/unified-audit-log.png" alt-text="Screenshot of the unified audit log toggle in Microsoft Defender XDR advanced settings" lightbox="/defender/media/defender/unified-audit-log.png":::
58
-
4. Select **Save preferences**.
48
+
Microsoft Defender XDR uses the [Microsoft Purview auditing solution](/purview/audit-solutions-overview). Before you can look at the audit data in the Microsoft Defender portal, you need to turn on auditing in the Microsoft Purview compliance portal. For more information, see [Turn auditing on or off](/purview/audit-log-enable-disable).
59
49
60
50
> [!IMPORTANT]
61
-
> Global Administrator is a highly privileged role that should be limited to scenarios when you can't use an existing role. Microsoft recommends that you use roles with the fewest permissions. Using lower permissioned accounts helps improve security for your organization.
51
+
> Global Administrator is a highly privileged role that should be limited to scenarios when you can't use an existing role. Microsoft recommends that you use roles with the fewest permissions. Using accounts with lower permissions helps improve security for your organization.
62
52
63
-
## Using the audit search in Microsoft Defender XDR
53
+
## Search the audit log
64
54
65
-
1. To retrieve audit logs for Microsoft Defender XDR activities, navigate to the [Microsoft Defender XDR Audit page](https://security.microsoft.com/auditlogsearch) or go to the [Purview compliance portal](https://compliance.microsoft.com) and select **Audit**.
55
+
Follow these steps to search the audit log:
56
+
57
+
1. Navigate to the [Microsoft Defender portal's Audit page](https://security.microsoft.com/auditlogsearch) or go to the [Purview compliance portal](https://compliance.microsoft.com) and select **Audit**.
66
58
67
59
:::image type="content" source="/defender/media/defender/unified-audit-log-xdr.png" alt-text="Screenshot of the unified audit log page in Microsoft Defender XDR " lightbox="/defender/media/defender/unified-audit-log-xdr.png":::
68
60
@@ -94,7 +86,7 @@ For a list of all events that are logged for user and admin activities in Micros
94
86
-[Response action activities in Defender for Endpoint in the audit log](/purview/audit-log-activities#microsoft-defender-for-endpoint-reponse-actions-activities)
95
87
-[Roles settings activities in Defender for Endpoint in the audit log](/purview/audit-log-activities#microsoft-defender-for-endpoint-roles-settings-activities)
96
88
97
-
## Using a PowerShell script
89
+
## Search for events using a PowerShell script
98
90
99
91
You can use the following PowerShell code snippet to query the Office 365 Management API to retrieve information about Microsoft Defender XDR events:
0 commit comments