If I notice a suspicious login on a user's M365 account in the Azure sign-in logs, can I find out what actions were taken during that session? Specifically, I want to know if I can see if the account was used to access or send emails, if SharePoint files were opened, and other activities. We're using standard M365 business licenses without any additional audit or tracking features. Thanks for your help!
4 Answers
If you use timeline features in Defender xDR and Sentinel, you'll get comprehensive details on the actions taken. However, keep in mind that it sounds like you might not have additional tracking due to your standard M365 licenses, which could limit what you can see.
Definitely! You can analyze user login details to find out specific time stamps, the device used, the operating system, location, and which services were accessed. Plus, you can use the email trace feature to track any sent or received emails, and check if any emails were deleted or if email forwarding was set up by the intruder.
Don't forget to check the activity logs in the Defender or Security center! Those logs will break down everything that happened, including all files accessed or deleted and emails sent.
If you have audit logging enabled in Purview, you can see a complete history of actions taken. If it wasn't turned on, I'd suggest enabling it for future incidents since it provides detailed insights into what's been changed, moved, or deleted. Honestly, I’m a bit surprised it's not on by default.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures