Forum Discussion
How to get audit logs for Ransomware activity Policy under Threat Detection
I need to fetch the logs like who modified the policy is there any powershell command I can run
- michaks7a8aaCopper Contributor
To obtain audit logs for Ransomware activity policies under Threat Detection, you typically need to follow these general steps. Keep in mind that the exact steps might vary based on the specific security software or platform you're using. Here's a general guideline:
Access Security Dashboard: Log in to your security management console or dashboard. This is where you configure and monitor security policies and events.
Navigate to Threat Detection: Look for the section or tab related to threat detection or security policies. This is where you'll find settings and options to configure and monitor ransomware activity.
Enable Ransomware Activity Policy: If you haven't already, enable or configure the ransomware activity policy. This policy will define what constitutes ransomware activity and how the system should respond to it.
Configure Logging: Within the ransomware activity policy settings, there should be options related to logging and auditing. Enable logging for ransomware-related events or activities. You may also need to specify the level of detail you want to log.
Specify Log Retention: Determine how long you want to retain these logs. This can be important for compliance purposes and for historical analysis.
Review and Monitor Logs: Once the logging is enabled and the policy is in place, the system should start generating logs for any ransomware-related activities it detects. Regularly review and monitor these logs for any suspicious or unauthorized activities.
Set Up Alerts: In addition to manual log review, you can often configure automated alerts to notify you when ransomware activity is detected. These alerts can be sent via email, SMS, or through the security dashboard.
Respond to Incidents: If you receive alerts or notice any suspicious activity in the audit logs, follow your organization's incident response procedures. This might involve isolating affected systems, taking them offline, and conducting a thorough investigation.
Documentation and Reporting: Keep thorough records of any ransomware-related incidents, actions taken, and outcomes. This documentation can be invaluable for post-incident analysis, reporting to stakeholders, and for improving your security posture in the future.
Please note that the exact steps and terminology may differ based on the security solution you're using. Consult the documentation provided by your security software vendor or platform for detailed instructions specific to your environment. Also, keep your software and threat detection definitions up to date to ensure the effectiveness of your security measures.
- HeikeRitterMicrosoft
Hello!! Could you please specify more what policy you are referring to? ASR rules? If so, you would need to check the audit logs in Intune.
- tyagia2ulCopper ContributorHello Heike,
We have a Threat Detection Policy under Cloud Apps in Microsoft 365 Defender and I need to pull the logs of that policy like when and who modified it last time .- HeikeRitterMicrosoftGot it, thanks for clarifying - let me check with the Defender for Cloud Apps team.