Uredi

Deli z drugimi prek


Auditing

Applies to:

As a tenant administrator, you can use Microsoft Purview to search the audit logs for the times Microsoft Defender Experts signed into your tenant and the actions they did there to perform their investigations. You can also search the audit logs for the changes done by your tenant administrators to the Defender Experts settings.

Audit (Standard) is turned on by default for all Microsoft Defender Experts for XDR customers when paid licenses are assigned to the tenant. If you have a trial license, work with your service delivery manager to turn on Audit if it isn't yet.

Note

Make sure you have the right permissions to search for audit logs.

Search the audit logs for actions performed by Defender Experts

  1. Sign into the Microsoft Purview compliance portal to use Audit New Search.
  2. Provide a Date and time range (UTC).
  3. Select the Workload and Record type from the list shown in the following table to further narrow your search.
  4. Select Search to list the audit logs related to actions taken by our experts in your tenant.

Partial screenshot of Microsoft Purview compliance portal Defender New search page.

Action performed by Defender Experts Workload Record type
Sign into customer tenant AzureActiveDirectory AzureActiveDirectoryStsLogon
Make changes to incidents in Microsoft Defender portal Microsoft365Defender MS365Dincident
Make changes to alert suppression rules in Microsoft Defender portal Microsoft365Defender MS365DSuppressionRule
Make changes to indicators in Microsoft Defender for Endpoint MicrosoftDefenderForEndpoint MSDEIndicatorsSettings
Perform device remediation actions in Microsoft Defender for Endpoint MicrosoftDefenderForEndpoint MSDEResponseActions

Partial screenshot of a sample audit log related to Defender Experts.

Search the audit logs for actions performed by your administrators in the Defender Experts settings

  1. Sign into the Microsoft Purview compliance portal to use Audit New Search.
  2. Provide a Date and time range (UTC).
  3. Under Workload, choose MicrosoftDefenderExperts.
  4. Select Search to list the audit logs related to actions taken by your tenant administrators to the Defender Experts settings.

Partial screenshot of Microsoft Purview compliance portal Defender New search page showing the Workload field selected to MicrosoftDefenderExperts.

Search the audit logs using a PowerShell script

In addition to using Audit New Search in the Microsoft Purview compliance portal, you can use PowerShell cmdlets to search for audit logs. Learn more.

See also

Important considerations for Microsoft Defender Experts for XDR

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.