Forum Discussion

Lucaraheller's avatar
Lucaraheller
MCT
Jan 27, 2026

Microsoft Defender for Cloud

For security operations teams managing Microsoft 365 and Azure environments, knowing which event logs to monitor in the Defender portal is fundamental. The right logs give you visibility into identity threats, device compromise, and policy violations before they escalate.

 

Here are the most critical event log categories:

 

## 1. Sign-In Logs (Entra ID)

**Location:** Microsoft Entra ID > Sign-in logs

 

Monitor failed sign-ins, unfamiliar locations, Conditional Access failures, and risky sign-ins flagged by Identity Protection. Identity is the primary attack surface—these logs detect credential compromise and lateral movement.

 

## 2. Audit Logs (Entra ID)

**Location:** Microsoft Entra ID > Audit logs

 

Track changes to user accounts, privilege escalations, Conditional Access modifications, and application consent grants. Unauthorized administrative changes can bypass security controls.

 

## 3. Device Compliance Logs (Intune)

**Location:** Microsoft Intune > Devices > Monitor

 

Monitor non-compliant devices, enrollment failures, and policy errors. Non-compliant endpoints represent unmanaged risk.

 

## 4. Threat & Vulnerability Management

**Location:** Microsoft Defender > Endpoints > TVM

 

Track critical vulnerabilities, missing updates, and exposed credentials. Proactive vulnerability management prevents exploitation.

 

## 5. Alerts and Incidents (Defender XDR)

**Location:** Microsoft Defender > Incidents & Alerts

 

Your central SOC dashboard—monitor high-severity alerts for ransomware, credential theft, and lateral movement across endpoints, identities, email, and apps.

 

## 6. Cloud App Activity Logs

**Location:** Defender for Cloud Apps > Activity log

 

Detect unusual file downloads, admin activity from unmanaged devices, and OAuth app permissions. These logs reveal unauthorized data exfiltration and risky SaaS behavior.

 

## 7. Email Threat Logs

**Location:** Microsoft Defender > Email & Collaboration > Threat Explorer

 

Monitor phishing attempts, malware attachments, and spoofed emails. Email remains the most common attack vector.

 

## 8. Cloud Security Alerts

**Location:** Microsoft Defender for Cloud > Security alerts

 

Track misconfigurations, policy violations, and threats across Azure subscriptions and hybrid workloads. Essential for cloud infrastructure protection and compliance monitoring.

 

## How to Use These Logs Effectively

 

1. Set up automated alerts in Sentinel

2. Establish baselines to detect anomalies

3. Correlate across sources for full attack context

4. Automate response with AIR features

5. Review high-severity logs weekly

 

**Microsoft Defender XDR Documentation:**

https://learn.microsoft.com/en-us/microsoft-365/security/defender/

 

**Entra ID Monitoring:**

https://learn.microsoft.com/en-us/entra/identity/monitoring-health/

 

**Microsoft Defender for Cloud:**

https://learn.microsoft.com/en-us/azure/defender-for-cloud/

 

Monitoring the right logs is the foundation of a strong security posture. Start here, tune your alerts, and build the visibility your SOC needs.

 

#MicrosoftDefender #CyberSecurity #SOC #DefenderXDR #ThreatHunting #SecurityOperations #EntraID #Microsoft365 #ZeroTrust #DefenderForCloud

No RepliesBe the first to reply

Resources