Forum Discussion
Linking Logged Events
Is there anyway of identifying what events in the Security and Compliance Audit log are linked to the same user session. For instance a number of events list the global microsoft service's ip address...
Apart from filtering out on time/date, not really. You are better off looking at the events in the Azure AD blade though, the ones in the SCC can be outdated and don't expose all the details.
- Vasil, thanks for your response, i tend to look at all logs, as different logs capture different data. As stated above my issue is that when i have an attacker on at the sametime as a user and i have events that a user triggered through a Microsoft addresses that I can identify which source ip or user session was responsible. I am trying to find out if anywhere in all of this logging there is anything resembling a sessions key that links each user session together. so that if i log on from two different devices that have the same browser that i can see what actions each session did.
