Audit log search in the Microsoft Defender portal
Tip
Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms here.
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, the unified audit log records supported user and admin operations. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in the organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.
Tip
Audit log search in Microsoft Defender portal is identical to audit log search in the Microsoft Purview compliance portal at https://compliance.microsoft.com/auditlogsearch.
What do you need to know before you begin?
- You need to be assigned permissions before you can do the procedures in this article. You have the following options:
- Exchange Online permissions: Membership in the Organization Management or Compliance Management role groups.
- Microsoft Entra permissions: Membership in the Global Administrator or Compliance Administrator roles gives users the required permissions and permissions for other features in Microsoft 365.
Open audit log search
In the Microsoft Defender portal at https://security.microsoft.com, go to Audit. Or, to go directly to the Audit page, use https://security.microsoft.com/auditlogsearch.
On the Audit page, create the audit log search. For instructions, see the following articles:
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for