Auditing
Applies to:
As a tenant administrator, you can use Microsoft Purview to search the audit logs for the times Microsoft Defender Experts signed into your tenant and the actions they did there to perform their investigations. You can also search the audit logs for the changes done by your tenant administrators to the Defender Experts settings.
Audit (Standard) is turned on by default for all Microsoft Defender Experts for XDR customers when paid licenses are assigned to the tenant. If you have a trial license, work with your service delivery manager to turn on Audit if it isn't yet.
Note
Make sure you have the right permissions to search for audit logs.
Search the audit logs for actions performed by Defender Experts
- Sign into the Microsoft Purview compliance portal to use Audit New Search.
- Provide a Date and time range (UTC).
- Select the Workload and Record type from the list shown in the following table to further narrow your search.
- Select Search to list the audit logs related to actions taken by our experts in your tenant.
Action performed by Defender Experts | Workload | Record type |
---|---|---|
Sign into customer tenant | AzureActiveDirectory | AzureActiveDirectoryStsLogon |
Make changes to incidents in Microsoft Defender portal | Microsoft365Defender | MS365Dincident |
Make changes to alert suppression rules in Microsoft Defender portal | Microsoft365Defender | MS365DSuppressionRule |
Make changes to indicators in Microsoft Defender for Endpoint | MicrosoftDefenderForEndpoint | MSDEIndicatorsSettings |
Perform device remediation actions in Microsoft Defender for Endpoint | MicrosoftDefenderForEndpoint | MSDEResponseActions |
Search the audit logs for actions performed by your administrators in the Defender Experts settings
- Sign into the Microsoft Purview compliance portal to use Audit New Search.
- Provide a Date and time range (UTC).
- Under Workload, choose MicrosoftDefenderExperts.
- Select Search to list the audit logs related to actions taken by your tenant administrators to the Defender Experts settings.
Search the audit logs using a PowerShell script
In addition to using Audit New Search in the Microsoft Purview compliance portal, you can use PowerShell cmdlets to search for audit logs. Learn more.
See also
Important considerations for Microsoft Defender Experts for XDR
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.