Microsoft Defender for Identity monitored activities search and filter

Note

The Defender for Identity features explained on this page are also accessible using the new portal.

Activities detected by Defender for Identity on your network can be searched and filtered for easy drill-down and organization during your research and investigation into security alerts.

From the Defender for Identity timeline, select any entity in your network (DC, machine, or user) as the filter access point. Next, select to filter by the Security Alert, Activity type, or any combination. Once the filter is applied, the threat timeline of the entity is updated with the filtered information. Your filtered alerts and activities can also be downloaded to continue your investigation or tracking in other tools.

Filter alerts and activities

To filter alerts and activities:

  1. Select the entity to investigate from the Defender for Identity timeline.
  2. Click Filter by, then select the alerts and/or activities to filter.
  3. Click Apply. The entity timeline is updated according to the filters you selected.
  4. To download the filtered activities, click Download activities and select the date range for your download report.
  5. To reset the entity timeline to display all alerts and activities, click Reset or close the filter.

See Also