Search the audit log for events in Microsoft Defender XDR

The audit log helps you investigate specific activities across Microsoft 365 services. In the Microsoft Defender portal, Microsoft Defender XDR and Microsoft Defender for Endpoint activities are audited. Some of the activities audited are:

  • Changes to data retention settings
  • Changes to advanced features
  • Creation of indicators of compromise
  • Isolation of devices
  • Add\edit\deletion of security roles
  • Create\edit custom detection rules
  • Assign user to an incidents

For a complete list of Microsoft Defender XDR activities that are audited, see Microsoft Defender XDR activities and Microsoft Defender for Endpoint activities.

Auditing is automatically turned on for Microsoft Defender XDR. Features that are audited are logged in the audit log automatically. Auditing can also collect audit logs from GCC environments.

Prerequisites

To access the audit log, you need to have the View-Only Audit Logs or Audit Logs role in Exchange Online. By default, those roles are assigned to the Compliance Management and Organization Management role groups.

Note

Global administrators in Office 365 and Microsoft 365 are automatically added as members of the Organization Management role group in Exchange Online.

Microsoft Defender XDR uses the Microsoft Purview auditing solution. Before you can look at the audit data in the Microsoft Defender portal, you need to turn on auditing in the Microsoft Purview compliance portal. For more information, see Turn auditing on or off.

Important

Global Administrator is a highly privileged role that should be limited to scenarios when you can't use an existing role. Microsoft recommends that you use roles with the fewest permissions. Using accounts with lower permissions helps improve security for your organization.

Search the audit log

Follow these steps to search the audit log:

  1. Navigate to the Microsoft Defender portal's Audit page or go to the Purview compliance portal and select Audit.

    Screenshot of the unified audit log page in Microsoft Defender XDR

  2. On the New Search page, filter the activities, dates, and users you want to audit.

  3. Select Search

    Screenshot of the unified audit log search options in Microsoft Defender XDR

  4. Export your results to Excel for further analysis.

For step-by-step instructions, see Search the audit log in the compliance portal.

Audit log record retention is based on Microsoft Purview retention policies. For more information, see Manage audit log retention policies.

Microsoft Defender XDR activities

For a list of all events that are logged for user and admin activities in Microsoft Defender XDR in the Microsoft 365 audit log, see:

Microsoft Defender for Endpoint activities

For a list of all events that are logged for user and admin activities in Microsoft Defender for Endpoint in the Microsoft 365 audit log, see:

Search for events using a PowerShell script

You can use the following PowerShell code snippet to query the Office 365 Management API to retrieve information about Microsoft Defender XDR events:

$cred = Get-Credential
$s = New-PSSession -ConfigurationName microsoft.exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $cred -Authentication Basic -AllowRedirection 
Import-PSSession $s
Search-UnifiedAuditLog -StartDate 2023/03/12 -EndDate 2023/03/20 -RecordType <ID>

Note

See the API column in Audit activities included for the record type values.

For more information, see Use a PowerShell script to search the audit log

See also