Bring Back M365 Audit Logs for Users
complete
N
Neil O'Sullivan
Please bring back the ability to click into a user's account and pull up their recent audit/sign-in activity! That was a tool I used all the time and was very helpful, especially since there doesn't seem to be a filter available for the "All Events" view either. Definitely helped make my life much easier and efficient when checking user activity.
Thanks!
Rich Mozeleski
complete
Login event activity for the past two weeks is now visible on the identity page (again). In addition, Managed ITDR partners will now get one year of ITDR M365 audit log ingestion at no cost within Managed SIEM.
N
Neil O'Sullivan
Rich Mozeleski THANK YOUUUUUUU!
J
Jonathan Pilkington
Rich Mozeleski Is there a way to search logins in SIEM currently or is that a future plan?
M
Matthew Buehlmann
Rich Mozeleski This is awesome Rich, thank you!
Rich Mozeleski
Jonathan Pilkington Hey Jonathan! Yes, this data is queryable within the SIEM. If you shoot me an email with some more specifics I can get you a query to run.
J
Jacob Wiley
Rich Mozeleski Thank you!
C
Coombe Coombe
I would also like to see the Device ID and Compliant state from the Entra Sign In logs in the Huntress alert so we can quickly cross reference if this is an enrolled/compliant device logging in from a new country because the user is travelling.
I would also go one step further and say that Huntress has the telemetry to know that the device id for the user is commonly used in other countries and therefore the fact that the user/device has logged in from a new country would suggest the user was travelling and is of no significant risk. If the device id was new or unknown then this would represent a significant risk and is much more likely to be a compromised account.
Rich Mozeleski
in progress
We are going to provide Managed ITDR log ingestion and retention within our Managed SIEM product. This functionality will be provided as a free data source within Managed SIEM and will not require a separate Managed SIEM subscription.
This will allow partners to review all logs associated with ITDR detections (as before) while providing the additional query functionality that the new product provides. We will provide a link within the Managed ITDR dashboard to view these events.
J
Jonathan Pilkington
Rich Mozeleski If we have a SIEM license does that mean it will be also kept for a year?
Edit Never mind can access them using :
from logs | where event.provider == "ITDR"
Rich Mozeleski
Jonathan Pilkington: Hey Jonathan! The ITDR logs will be kept for a year regardless of whether or not you have purchased Managed SIEM.
Rich Mozeleski
planned
While building the Unwanted Access capability for the product, we completely refactored our backend handling of events from Microsoft. This refactoring prevents us from recreating the "View All Events" view.
Being completely transparent, we did not realize the value many of our partners put into that view. We cannot easily recreate it but we are looking into options to restore this functionality.
I'll share more information when I can.
J
Jacob Wiley
Yes, please bring this back. Huntress provides the 'single pane of glass' that Microsoft can't touch (no I'm not going to use lighthouse).
A
Angelique Thayer
This really needs to be brought back. I have a user that was compromised and it was not caught by Huntress. I am trying to figure out why and how. The bad guys even managed to get additional 2FA devices configured and I am trying to figure out how that happened so that I can explain it to my client who almost lost $800,000. Thankfully their Vendor called and asked questions, which we all know doesn't normally happen. The logs will at least give me an idea of where a users email account is being logged into without having to did through the Microsoft Tenant account logs.
A
Alex Perrot
This is also a must-have for us. Absolutely a frustrating regression.
C
Christopher Beckstrand
Came here to see if this was already requested. I'm not sure why it was decided to remove this. Please add it back to the UI.
W
Wilmer'la Armstrong'la
Agreed - raised this with the product team and they said it was removed because the same data was available in the MS portal, but as an MSSP it was much easier to see it all in one place in Huntress for all customers.
N
Nick Whittome
Agreed. Used this all the time.
Load More
→