Forum Discussion
Defender XDR Unified Audit Logs
Hi,
There used to be Unified Audit Logs -option in Defender XDR Settings under "Endpoints". This option has now disappeared.
Trying to search for Defender XDR events, such as isolating devices etc. using the Purview Audit search, I don't get any results. From the XDR Action center history I can see that isolation actions have been performed. I have Security Administrator permissions.
Is there a way to enable/disable the XDR auditing from Defender XDR or Purview portals?
Hi ghjneam1!
The Unified Audit Logs option was moved, so it's no longer found under "Endpoints" in the Defender XDR settings. To search for events like isolating devices, you’ll need to ensure that the auditing settings in both Defender XDR and Purview are configured correctly.
If you're not getting any results from the Purview Audit search, it might be worth double checking the connection between the two portals and verifying that XDR auditing is enabled. Since you have Security Administrator permissions, you should have access to those settings, but it's always a good idea to confirm they are set up as needed.
If everything is in order and you're still facing issues, in my experience is worth checking if there are any syncing problems between Defender XDR and Purview. Let me know if you are still having troubles to make it work!
Regards
As an MSSP, we used unified audit log on all our supported clients Defender portals. Now it has moved to Purview this brings in more permissions we'll need to access the log.
I've tried assigning both Purview Audit roles to no avail. Every time I try to access the customer Purview audit solution I get and error saying 'failed to load data'
Any ideas?
