Audit Log Assurance Procedure

This admin procedure will provide background information on the necessary Auditing processes that need to take place within each section of the Azure environment.

This article is intended for employees of organizations that use Sittadel's security. Additionally, there are some actions that can only be accomplished by those with administrative privileges.

Procedure Scope: Administrators

Required Group Membership: Admin.Compliance

 

Azure Active Directory

  1. We will start off with a list of important Active Directory logs that should be checked:
  2. Navigate to Sign-In Logs – Azure Active Directory and Audit Logs – Azure Active Directory, these will house all of the events listed below.
User logon events.
  1.  In Sign-In Logs, all authentication attempts made within the last 24 hours will be displayed. Important filters can be applied and modified to aid in troubleshooting efforts or establish a chain of custody for specific users.
  2. The Date Filter can be modified to look back as far as a 30-day span, with the ability to select a custom date that falls within that timeframe. This can be important in determining account inactivity or seeing if a user had tried to access a resource.
  3. The Status Filter can be modified to search for specifically successful or failed login attempts. This can be useful in the case of failed attempts to determine login troubleshooting, or compromised account access attempts. Successful attempt cases can be useful for determining resource accessing that shouldn’t have been made.
  4. The User Filter can be selected to aid in weeding out unnecessary audits of accounts that are outside of the scope of your search.
  5. The Application Filter can be selected to aid in searching for specific application interfacing such as Azure Portals, O365 Apps, etc. this can be useful for determining chain of custody for resource accessing or modifications.
User account update events.
  1. In Audit Logs, all changes to the Azure Active Directory Tenant within the last 24 hours will be listed. Important filters can be applied and modified to aid in troubleshooting efforts or establish a chain of custody for specific users.
  2. The Date Filter can be modified to look back as far as a 30-day span, with the ability to select a custom date that falls within that timeframe. This can be important in determining account inactivity or seeing if a user had tried to access a resource.
  3. The Activity Filter can be modified to look for specific events, using the search bar look for the Update User event.
  4. The Update User Filter will list all the events associated with updating a property of a user account, an example would be updating the MFA token associated with an account session.
Role update events.
  1. In Audit Logs, all changes to the Azure Active Directory Tenant within the last 24 hours will be listed. Important filters can be applied and modified to aid in troubleshooting efforts or establish a chain of custody for specific users.
  2. The Date Filter can be modified to look back as far as a 30-day span, with the ability to select a custom date that falls within that timeframe. This can be important in determining account inactivity or seeing if a user had tried to access a resource.
  3. The Activity Filter can be modified to look for specific events, using the search bar look for the Update Role event.
  4. The Update Role Filter will list all events that show any modification of a role assignment to a user or group inside of the tenant.
  5. The Activity Filter can be modified to look for specific events, using the search bar look for the Update Role Definition event.
  6. The Update Role Definition Filter will list all events that show any modification of an existing roles permission assignment.
Group update events
  1. In Audit Logs, all changes to the Azure Active Directory Tenant within the last 24 hours will be listed. Important filters can be applied and modified to aid in troubleshooting efforts or establish a chain of custody for specific users.
  2. The Date Filter can be modified to look back as far as a 30-day span, with the ability to select a custom date that falls within that timeframe. This can be important in determining account inactivity or seeing if a user had tried to access a resource.
  3. The Activity Filter can be modified to look for specific events, using the search bar look for the Update Group event.
  4. The Update Group Filter will list all events that show any modification of a group membership assignment or role adjustments.
Conditional access rule update events.
  1. In Audit Logs, all changes to the Azure Active Directory Tenant within the last 24 hours will be listed. Important filters can be applied and modified to aid in troubleshooting efforts or establish a chain of custody for specific users.
  2. The Date Filter can be modified to look back as far as a 30-day span, with the ability to select a custom date that falls within that timeframe. This can be important in determining account inactivity or seeing if a user had tried to access a resource.
  3. The Activity Filter can be modified to look for specific events, using the search bar look for the Update Conditional Access Policy event.
  4. The Update Conditional Access Policy Filter will list all events that show any modification of a conditional access policy.
Self-service password reset events.
  1. In Audit Logs, all changes to the Azure Active Directory Tenant within the last 24 hours will be listed. Important filters can be applied and modified to aid in troubleshooting efforts or establish a chain of custody for specific users.
  2. The Date Filter can be modified to look back as far as a 30-day span, with the ability to select a custom date that falls within that timeframe. This can be important in determining account inactivity or seeing if a user had tried to access a resource.
  3. The Activity Filter can be modified to look for specific events, using the search bar look for the Reset Password (Self-Service) event.
  4. The Reset Password (Self-Service) Filter will list all events of a registered user applying for and completing a self-service password service.
Cross-tenant access update events.
  1. In Audit Logs, all changes to the Azure Active Directory Tenant within the last 24 hours will be listed. Important filters can be applied and modified to aid in troubleshooting efforts or establish a chain of custody for specific users.
  2. The Date Filter can be modified to look back as far as a 30-day span, with the ability to select a custom date that falls within that timeframe. This can be important in determining account inactivity or seeing if a user had tried to access a resource.
  3. The Activity Filter can be modified to look for specific events, using the search bar look for the Update the Company Default Cross-Tenant Access Settings event.
  4. The Update Cross-Tenant Access Filter will list all events that show an adjustment of either allowing or blocking collaboration types inbound or outbound of your organization.

 

Microsoft Intune

  1. Next, we will look at a list of important Intune logs that should be checked:
  2. Navigate to Monitor Device Actions – Intune, Audit Logs – Intune, and Device Compliance Status Report – Intune these will house all of the events listed below.
Device action events.
  1. In Device Actions, all the actions taken on a device will be listed, this includes wipes, retiring, password resets, remote lock, etc. Additionally, the status of the action for the device will be listed, such as complete, pending, failed, etc. as well as the administrator that initiated the actions.
  2. You can specify the types of actions or statuses of an action by using the Filter button, this could be useful in tracking actions carried out on a user device for possible malicious or invasive activities.
Configuration profile update events.
  1. ln Audit Logs, select Filter. Under Category select DeviceConfiguration. Under Activity locate Patch DeviceConfiguration. You will need to specify a time range that fits the requirements of your search. When all the filters are applied, a list of all configuration profile modifications will be generated.
  2. The Filter will list important details such as the administrator that initiated the modification process and the configuration profile that was targeted for modification; these values will be important in determining chain of custody and which values were updated.
  3. ln Audit Logs, select Filter. Under Category select DeviceConfiguration. Under Activity locate Patch DeviceConfiguration Assignment. You will need to specify a time range that fits the requirements of your search. When all the filters are applied, a list of all configuration profile assignment additions or removal will be generated.
  4. The Filter will list important details such as the administrator that initiated the modification process and the configuration profile that was targeted for modification; these values will be important in determining chain of custody and the new scope of users being impacted by the profile.
Compliance profile update events.
  1. ln Audit Logs, select Filter. Under Category select Compliance. Under Activity locate Patch DeviceCompliancePolicy. You will need to specify a time range that fits the requirements of your search. When all the filters are applied, a list of all compliance policy modifications will be generated.
  2. The Filter will list important details such as the administrator that initiated the modification process and the configuration profile that was targeted for modification; these values will be important in determining chain of custody and which values were updated.
  3. ln Audit Logs, select Filter. Under Category select DeviceConfiguration. Under Activity locate Patch DeviceCompliancePolicy Assignment. You will need to specify a time range that fits the requirements of your search. When all the filters are applied, a list of all compliance policy assignment additions or removal will be generated.
  4. The Filter will list important details such as the administrator that initiated the modification process and the compliance policy that was targeted for modification; these values will be important in determining chain of custody and the new scope of users being impacted by the profile.
Compliance status update events.
  1. ln the Device Compliance Status Report a list of all the registered onboarded devices will be listed; aside from device details you will see the listed compliance status of each device, this will vary between either the device being compliant with organizational policy or non-complaint.
  2. You can export this data and do additionally hunting to alleviate these non-compliant devices, in order to do this, you will need redirect to Noncompliant Devices – Intune. This will list all the non-compliant devices in your organization.
  3. When you click into one of the devices, locate the Device Compliance tab to see the specific policy that is failing for the device.
  4. When you select one of the policies, the individual setting configurations for the policy will be displayed along with if they have been successfully deployed by the device, you can construct a list for troubleshooting the device to get it in line with compliance or take into account the risk for the device and make it an exception in policy which should be a last ditch effort if all other options have been exhausted. 

Application update events.
  1. ln Audit Logs, select Filter. Under Category select Application. Under Activity locate Patch MobileApp. You will need to specify a time range that fits the requirements of your search. When all the filters are applied, a list of all mobile app modifications will be generated.
  2. The Filter will list important details such as the administrator that initiated the modification process and the application that was targeted for modification; these values will be important in determining chain of custody and which values were updated.
Mobile application protection update events.
  1. ln Audit Logs, select Filter. Under Category select Application. Under Activity locate Patch MobileApp. You will need to specify a time range that fits the requirements of your search. When all the filters are applied, a list of all app protection policy modifications will be generated.
  2. The Filter will list important details such as the administrator that initiated the modification process and the app protection policy that was targeted for modification; these values will be important in determining chain of custody and which values were updated.

 

Microsoft Purview

  1. Then, we will look at a list of important Purview logs that should be checked:
  2. Navigate to Auditing – Purview, this will house all the events listed below.
SharePoint file events.
  1. In Auditing select the Activities Filter, this will list all the possible activities that can be monitored through Purview, most of these events will revolve around SharePoint, OneDrive, Planner, Teams, and Outlook activities with a heavy focus on data transaction tracking.
  2. For the sake of file events that can be monitored through SharePoint the following sections will be listed that will encompass the modification of SharePoint files. You can use the search box to highlight these sections for easier configuration.
    1. File and Page Activities; all settings.
    2. Sharing and Access Request Activities; Shared file, folder, or site, Unshared file, folder, or site.
    3. Synchronization Activities; all settings.
  3. Once all the settings are configured, you will also need to supply the search with a Date and Time Range; this search can go back as far as 90 days. Once all the prerequisites are filled, select Search to start the pulling of all the logs from the Purview log database.
  4. You will have to wait some time for the queue search to be completed, once it is successfully completed you can select the results. All the events that have taken place between the timeframe specified will be displayed, they will be listed based in descending order of date showing the user that initiated the event, the activity type, the name of the file they accessed and any additional details such as the directory that the file existed in.
SharePoint folder events.
  1. In Auditing select the Activities Filter, this will list all the possible activities that can be monitored through Purview, most of these events will revolve around SharePoint, OneDrive, Planner, Teams, and Outlook activities with a heavy focus on data transaction tracking.
  2. For the sake of folder events that can be monitored through SharePoint the following sections will be listed that will encompass the modification of SharePoint folders. You can use the search box to highlight these sections for easier configuration.
    1. Folder Activities; all settings.
    2. Sharing and Access Request Activities; Shared file, folder, or site, Unshared file, folder, or site.
  3. Once all the settings are configured, you will also need to supply the search with a Date and Time Range; this search can go back as far as 90 days. Once all the prerequisites are filled, select Search to start the pulling of all the logs from the Purview log database.
  4. You will have to wait some time for the queue search to be completed, once it is successfully completed you can select the results. All the events that have taken place between the timeframe specified will be displayed, they will be listed based in descending order of date showing the user that initiated the event, the activity type, the name of the file they accessed and any additional details such as the directory that the file existed in.
SharePoint sharing events.
  1. In Auditing select the Activities Filter, this will list all the possible activities that can be monitored through Purview, most of these events will revolve around SharePoint, OneDrive, Planner, Teams, and Outlook activities with a heavy focus on data transaction tracking.
  2. For the sake of file events that can be monitored through SharePoint the following sections will be listed that will encompass the modification of SharePoint sharing. You can use the search box to highlight these sections for easier configuration.
    1. Sharing and Access Request Activities; all settings.
    2. Site Permission Activities; all settings.
    3. Site Administration Activities: Changed a Sharing Policy, Changed Device Access Policy, Deleted Site, Enabled Restricted OneDrive Access and Sharing, Disabled Restricted OneDrive Access and Sharing, Applied Restricted Access Control for Site, Removed Restricted Access Control for Site, Updated Restricted Access Control for Site.
  3. Once all the settings are configured, you will also need to supply the search with a Date and Time Range; this search can go back as far as 90 days. Once all the prerequisites are filled, select Search to start the pulling of all the logs from the Purview log database.
  4. You will have to wait some time for the queue search to be completed, once it is successfully completed you can select the results. All the events that have taken place between the timeframe specified will be displayed, they will be listed based in descending order of date showing the user that initiated the event, the activity type, the name of the file they accessed and any additional details such as the directory that the file existed in.
Retention policy update events.
  1. In Auditing select the Activities Filter, this will list all the possible activities that can be monitored through Purview, most of these events will revolve around SharePoint, OneDrive, Planner, Teams, and Outlook activities with a heavy focus on data transaction tracking.
  2. For the sake of file events that can be monitored through SharePoint the following sections will be listed that will encompass the modification of Retention Policies and Labels. You can use the search box to highlight these sections for easier configuration.
    1. Retention Policy and Retention Label Activities; all settings.
    2. Microsoft Defender for Endpoint Settings Activities; all settings.
    3. Disposition Review Activities; all settings.
  3. Once all the settings are configured, you will also need to supply the search with a Date and Time Range; this search can go back as far as 90 days. Once all the prerequisites are filled, select Search to start the pulling of all the logs from the Purview log database.
  4. You will have to wait some time for the queue search to be completed, once it is successfully completed you can select the results. All the events that have taken place between the timeframe specified will be displayed, they will be listed based in descending order of date showing the user that initiated the event, the activity type, the name of the file they accessed and any additional details such as the directory that the file existed in.
eDiscovery content search events.
  1. In Auditing select the Activities Filter, this will list all the possible activities that can be monitored through Purview, most of these events will revolve around SharePoint, OneDrive, Planner, Teams, and Outlook activities with a heavy focus on data transaction tracking.
  2. For the sake of file events that can be monitored through SharePoint the following sections will be listed that will encompass the creation of eDiscovery searches. You can use the search box to highlight these sections for easier configuration.
    1. eDiscovery Activities; all settings.
  3. Once all the settings are configured, you will also need to supply the search with a Date and Time Range; this search can go back as far as 90 days. Once all the prerequisites are filled, select Search to start the pulling of all the logs from the Purview log database.
  4. You will have to wait some time for the queue search to be completed, once it is successfully completed you can select the results. All the events that have taken place between the timeframe specified will be displayed, they will be listed based in descending order of date showing the user that initiated the event, the activity type, the name of the file they accessed and any additional details such as the directory that the file existed in.
DLP policy update events.
  1. In Auditing select the Activities Filter, this will list all the possible activities that can be monitored through Purview, most of these events will revolve around SharePoint, OneDrive, Planner, Teams, and Outlook activities with a heavy focus on data transaction tracking.
  2. For the sake of file events that can be monitored through SharePoint the following sections will be listed that will encompass the modification of DLP Policies and Rules. You can use the search box to highlight these sections for easier configuration.
    1. Information Protection and DLP Activities; Created DLP Rule, Updated DLP Rule, Deleted DLP Rule, Created DLP Policy, Updated DLP Policy, Deleted DLP Policy.
    2. Power Platform DLP Activities; all settings.
  3. Once all the settings are configured, you will also need to supply the search with a Date and Time Range; this search can go back as far as 90 days. Once all the prerequisites are filled, select Search to start the pulling of all the logs from the Purview log database.
  4. You will have to wait some time for the queue search to be completed, once it is successfully completed you can select the results. All the events that have taken place between the timeframe specified will be displayed, they will be listed based in descending order of date showing the user that initiated the event, the activity type, the name of the file they accessed and any additional details such as the directory that the file existed in.
DLP alert generation events.
  1. In Auditing select the Activities Filter, this will list all the possible activities that can be monitored through Purview, most of these events will revolve around SharePoint, OneDrive, Planner, Teams, and Outlook activities with a heavy focus on data transaction tracking.
  2. For the sake of file events that can be monitored through SharePoint the following sections will be listed that will encompass the generating of alerts relating to DLP enforcement. You can use the search box to highlight these sections for easier configuration.
    1. Information Protection and DLP Activities; Matched DLP Rule, Removed DLP Rule from Document.
  3. Once all the settings are configured, you will also need to supply the search with a Date and Time Range; this search can go back as far as 90 days. Once all the prerequisites are filled, select Search to start the pulling of all the logs from the Purview log database.
  4. You will have to wait some time for the queue search to be completed, once it is successfully completed you can select the results. All the events that have taken place between the timeframe specified will be displayed, they will be listed based in descending order of date showing the user that initiated the event, the activity type, the name of the file they accessed and any additional details such as the directory that the file existed in.
File sensitivity label update events.
  1. In Auditing select the Activities Filter, this will list all the possible activities that can be monitored through Purview, most of these events will revolve around SharePoint, OneDrive, Planner, Teams, and Outlook activities with a heavy focus on data transaction tracking.
  2. For the sake of file events that can be monitored through SharePoint the following sections will be listed that will encompass the modification of Sensitivity Labels on files. You can use the search box to highlight these sections for easier configuration.
    1. File and Page Activities; all settings.
    2. Sensitivity Label Activities: Applied Sensitivity Label to File, Changed Sensitivity Label to File, Removed Sensitivity Label to File.
    3. Azure Information Protection Activities; all settings.
    4. Purview Data Map Activities; all settings.
  3. Once all the settings are configured, you will also need to supply the search with a Date and Time Range; this search can go back as far as 90 days. Once all the prerequisites are filled, select Search to start the pulling of all the logs from the Purview log database.
  4. You will have to wait some time for the queue search to be completed, once it is successfully completed you can select the results. All the events that have taken place between the timeframe specified will be displayed, they will be listed based in descending order of date showing the user that initiated the event, the activity type, the name of the file they accessed and any additional details such as the directory that the file existed in.

 

Microsoft 365 Defender

  1. Lastly, we will look at a list of important Defender logs that should be checked:
  2. Navigate to Auditing – O365 Defender and Reports – O365 Defender these will house all the events listed below.
Defender incident generation events.
  1. In Auditing select the Activities Filter, this list will include some O365 Defender events that can be tracked through Purview.
  2. For the sake of incident events that can be monitored through O365 Defender the following sections will be listed that will encompass these activities. You can use the search box to highlight these sections for easier configuration.
    1. Microsoft 365 Defender Incident Activities; all settings.
  3. Once all the settings are configured, you will also need to supply the search with a Date and Time Range; this search can go back as far as 90 days. Once all the prerequisites are filled, select Search to start the pulling of all the logs from the Purview log database.
  4. You will have to wait some time for the queue search to be completed, once it is successfully completed you can select the results. All the events that have taken place between the timeframe specified will be displayed, they will be listed based in descending order of date showing the user that initiated the event, the activity type, the name of the file they accessed and any additional details such as the directory that the file existed in.
Defender alert generation events.
  1. From the Reports section, select Threat Protection this will list all the alerts generated from your organization.
  2. A redirect will occur that will display the trend of alerts generation events; breaking it down into the types of alerts generated by different security controls, as well as a timeline of when they occurred and a quantity association; this can be useful in determining the types of threats that type to exploit your organization and show indicators of efforts needing to be high in protecting those vectors.
  3. Additional information related to the status of alerts that haven’t been resolved that exist currently in your organization will also be listed; categorizing the types of threats that were generated by the alert, what security controls were used to detect these threats, as well as the severity level of the threats that exist. This information can be useful in determining risk for the organization as well as give indicators to administration on possible remediation items that need to be prioritized to mitigate the risk associated with these vectors.
  4. Lastly you can select Filters to specify a wide variety of options to help narrow down the scope of alert generation. Detection Source revolves around the type of security control that was used gather the information for the threat detected as well as generated the alert for administration. Category revolves around the type of threats that currently exist. Severity ties to the severity level of the alert generated based off the threat detected. Classification deals with the status of the alert being true, false, or informational.
Quarantine alert generation events.
  1. In Auditing select the Activities Filter, this list will include some O365 Defender events that can be tracked through Purview.
  2. For the sake of quarantine message alert generation events that can be monitored through O365 Defender the following sections will be listed that will encompass these activities. You can use the search box to highlight these sections for easier configuration.
    1. Quarantine Activities: Request to Release Quarantined Message.
  3. Once all the settings are configured, you will also need to supply the search with a Date and Time Range; this search can go back as far as 90 days. Once all the prerequisites are filled, select Search to start the pulling of all the logs from the Purview log database.
  4. You will have to wait some time for the queue search to be completed, once it is successfully completed you can select the results. All the events that have taken place between the timeframe specified will be displayed, they will be listed based in descending order of date showing the user that initiated the event, the activity type, the name of the file they accessed and any additional details such as the directory that the file existed in.
Quarantine message analysis events.
  1. In Auditing select the Activities Filter, this list will include some O365 Defender events that can be tracked through Purview.
  2. For the sake of quarantine message viewing events that can be monitored through O365 Defender the following sections will be listed that will encompass these activities. You can use the search box to highlight these sections for easier configuration.
    1. Quarantine Activities: Previewed Quarantine Message, Exported Quarantine Message, Viewed Quarantine Message Headers.
  3. Once all the settings are configured, you will also need to supply the search with a Date and Time Range; this search can go back as far as 90 days. Once all the prerequisites are filled, select Search to start the pulling of all the logs from the Purview log database.
  4. You will have to wait some time for the queue search to be completed, once it is successfully completed you can select the results. All the events that have taken place between the timeframe specified will be displayed, they will be listed based in descending order of date showing the user that initiated the event, the activity type, the name of the file they accessed and any additional details such as the directory that the file existed in.
Quarantine message release events.
  1. In Auditing select the Activities Filter, this list will include some O365 Defender events that can be tracked through Purview.
  2. For the sake of quarantine message release events that can be monitored through O365 Defender the following sections will be listed that will encompass these activities. You can use the search box to highlight these sections for easier configuration.
    1. Quarantine Activities: Released Quarantine Message.
  3. Once all the settings are configured, you will also need to supply the search with a Date and Time Range; this search can go back as far as 90 days. Once all the prerequisites are filled, select Search to start the pulling of all the logs from the Purview log database.
  4. You will have to wait some time for the queue search to be completed, once it is successfully completed you can select the results. All the events that have taken place between the timeframe specified will be displayed, they will be listed based in descending order of date showing the user that initiated the event, the activity type, the name of the file they accessed and any additional details such as the directory that the file existed in.
Email encrypted message action events.
  1. In Auditing select the Activities Filter, this list will include some O365 Defender events that can be tracked through Purview.
  2. For the sake of Isolation Update events that can be monitored through O365 Defender the following sections will be listed that will encompass these activities. You can use the search box to highlight these sections for easier configuration.
    1. Encrypted Message Portal Activities: all settings.
  3. Once all the settings are configured, you will also need to supply the search with a Date and Time Range; this search can go back as far as 90 days. Once all the prerequisites are filled, select Search to start the pulling of all the logs from the Purview log database.
  4. You will have to wait some time for the queue search to be completed, once it is successfully completed you can select the results. All the events that have taken place between the timeframe specified will be displayed, they will be listed based in descending order of date showing the user that initiated the event, the activity type, the name of the file they accessed and any additional details such as the directory that the file existed in.
Vulnerability management action events.
  1. From the Reports section, select Vulnerable Devices this will list all the alerts related to vulnerabilities generated from your organization.
  2. A redirect will occur that will display the trend of vulnerability generation events; breaking it down into a timeline of when they occurred and a quantity association as well as determining the operating system that these vulnerabilities have been impacting the most; this can be useful in determining the types of threats that type to exploit your organization and show indicators of efforts needing to be high in protecting those vectors.
  3. Additional information related to the status of vulnerabilities that haven’t been resolved that exist currently in your organization will also be listed; severity level of the vulnerabilities that exist, the ease of exploitation on the machine, as well as operating system details. This information can be useful in determining risk for the organization as well as give indicators to administration on possible remediation items that need to be prioritized to mitigate the risk associated with these vectors.
  4. Lastly you can select Filters to specify a wide variety of options to help narrow down the scope of alert generation. Vulnerabilities Severity Levels ties to the severity level of the vulnerability generated based off the exploit detected. Exploit Availability details how easy an exploit can be leverage on a device. Vulnerability Age specifies the longevity of the vulnerability detection being registered for the device. Operating System Platforms details the operating system that this vulnerability has been found on. Windows 10 & 11 Version specifies the granular operating system version that the exploit currently exist for.
Defender IOC update events.
  1. In Auditing select the Activities Filter, this list will include some O365 Defender events that can be tracked through Purview.
  2. For the sake of IOC update events that can be monitored through O365 Defender the following sections will be listed that will encompass these activities. You can use the search box to highlight these sections for easier configuration.
    1. Microsoft Defender for Endpoint Settings Activities: Added Indicator, Edited Indicator, Deleted Indicator.
  3. Once all the settings are configured, you will also need to supply the search with a Date and Time Range; this search can go back as far as 90 days. Once all the prerequisites are filled, select Search to start the pulling of all the logs from the Purview log database.
  4. You will have to wait some time for the queue search to be completed, once it is successfully completed you can select the results. All the events that have taken place between the timeframe specified will be displayed, they will be listed based in descending order of date showing the user that initiated the event, the activity type, the name of the file they accessed and any additional details such as the directory that the file existed in.
Defender attack surface reduction block events.
  1. From the Reports section, select Attack Surface Reduction Rules this will list all the alerts related to Attack Surface Reduction Rule enforcement generated from your organization.
  2. A redirect will occur that will display the trend of ASR block events; breaking it down into a timeline of when they occurred and a quantity association. A list of all the ASR block events will be listed including details such as the file that was blocked, the rule that was applied to capture the file, which device it was pulled from, and the association of the Publisher and the file.
  3. Lastly you can select Filters to specify a wide variety of options to help narrow down the scope of alert generation. Rules specifies the type of ASR rule that is being applied for the block or auditing process, this can be scope to either standard rules or all rules. Date allows you to determine the timeline for the log pull, you can specify a window of up to 90 days. Select Rules allows you to specify the security configuration type that was associated with the block that was placed on the file. Device Group allows you to select a preconfigured group of associated devices that have been registered through active directory. Blocked/Audited? Allows you to check specifically for either ASR audits for files or blocks for files.
Defender endpoint isolation update events.
  1. In Auditing select the Activities Filter, this list will include some O365 Defender events that can be tracked through Purview.
  2. For the sake of Isolation Update events that can be monitored through O365 Defender the following sections will be listed that will encompass these activities. You can use the search box to highlight these sections for easier configuration.
    1. Microsoft Defender for Endpoint Response Activities: Isolated Device, Release from Isolation.
  3. Once all the settings are configured, you will also need to supply the search with a Date and Time Range; this search can go back as far as 90 days. Once all the prerequisites are filled, select Search to start the pulling of all the logs from the Purview log database.
  4. You will have to wait some time for the queue search to be completed, once it is successfully completed you can select the results. All the events that have taken place between the timeframe specified will be displayed, they will be listed based in descending order of date showing the user that initiated the event, the activity type, the name of the file they accessed and any additional details such as the directory that the file existed in.
Defender endpoint app execution update events.
  1. In Auditing select the Activities Filter, this list will include some O365 Defender events that can be tracked through Purview.
  2. For the sake of Endpoint App Execution Update events that can be monitored through O365 Defender the following sections will be listed that will encompass these activities. You can use the search box to highlight these sections for easier configuration.
    1. Microsoft Defender for Endpoint Response Activities: Restricted App Execution, Removed App Restrictions.
  3. Once all the settings are configured, you will also need to supply the search with a Date and Time Range; this search can go back as far as 90 days. Once all the prerequisites are filled, select Search to start the pulling of all the logs from the Purview log database.
  4. You will have to wait some time for the queue search to be completed, once it is successfully completed you can select the results. All the events that have taken place between the timeframe specified will be displayed, they will be listed based in descending order of date showing the user that initiated the event, the activity type, the name of the file they accessed and any additional details such as the directory that the file existed in.

You're Finished!

You should have successfully viewed and collected the necessary data in relation to the audit logs outlined in their respective portals. For any other problems or questions, reach out to us!