Azure ATP: Does Admin’s actions recorded by Office 365 Audit?

Hey everyone, hope you guys are having a nice evening. Today’s blog post is about Azure ATP and Office 365 audit.

So the situation is like this;

Majority Office 365 tenant has more then 1 global administrators. Whenever, a global administrator would like to capture other administrators actions, they would query those events from Office 365 audit. So for Azure ATP, I notice it is not available in Office 365 audit, but for Defender Endpoint it exist in the audit. Summary, you can’t audit actions being taken in Azure ATP portal.

Scenario: If a global administrator, deletes an alerts from Azure ATP, it would remain deleted and there is no recycle bin to restore the alert back unless you regenerate the same situation to trigger the detection. This delete action is not recorded into the Office 365 audit.

Office 365 audit
Azure ATP on deleted alerts

I do not see this as a show stopper, I am still testing other ways to get this working. Stay tune…

References:

  1. https://docs.microsoft.com/en-us/defender-for-identity/working-with-suspicious-activities
  2. Search the audit log in the Security & Compliance Center – Microsoft 365 Compliance | Microsoft Docs
  3. DefenderATP Audit logs – Microsoft Tech Community

Author: sabrinaksy

Just an ordinary lady who love what she does best.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: