Where to find Incident Investigation Artifacts in M365 – Part 2 – The Portals

Microsoft Defender Portals and Where to Access Log Data
Andrew Posted on 7:00 am

Where to find Incident Investigation Artifacts in M365 – Part 2 – The Portals

A common challenge that security teams face is simply not knowing where all the artifacts can be found during an investigation. Microsoft Defender tools are capable of collecting a lot of data, and that can create questions during investigations of where is all this data and how do I find it quickly? Join me for Part 2 of our tour on where to find this great Defender log data.

In the last article (here), we looked at data types, retention, some high-level license differences, and what types of information are in the different logs. Refresh your memory if you like, there was a lot to take in.

Today, let’s take a quick look at the different portals that we will use to perform our investigations.

The Portals

The most common or top 3 portals that are used to review and investigate incidents are:

Azure AD Portal

Located at https://aad.portal.azure.com and contains sign-ins, risk events and Azure AD admin activity. Data is displayed in a custom interface and can be filtered and exported as needed.

Microsoft 365 Defender Portal

Located at https://security.microsoft.com, this portal gives us two primary interfaces for viewing log data, Advanced Hunting, and access to the Unified Audit Log via the Audit Search. This is important! Take a look at the previous article if you are unsure of which data flows into the UAL.

Defender for Cloud Apps 

Located at https://portal.cloudappsecurity.com, this portal does not include any Office 365 data unless explicitly configured. When configured, data is stored in the Activity log and multiple alert templates are available to help detect and respond to security events in your tenant.

Bonus Comprehensive Portal List

Curious where you can find all the portals quickly for portals that you may not use every day? Check out this awesome list of Microsoft Admin Portals: https://msportals.io/

My most used:

Exchange Admin Center (EAC) Newhttps://admin.exchange.microsoft.com
Exchange Admin Center (EAC) Oldhttps://outlook.office365.com/ecp/
Microsoft Purview compliance portalhttps://compliance.microsoft.com
Microsoft 365 network connectivity testhttps://connectivity.office.com
Microsoft 365 Network Insights Previewhttps://portal.office.com/adminportal/home#/networkperformance
Microsoft Call Quality Dashboard (Teams)https://cqd.teams.microsoft.com
Microsoft Endpoint Manager Admin Console Intunehttps://endpoint.microsoft.com

Source:
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/forensic-artifacts-in-office-365-and-where-to-find-them/ba-p/3634865