Activity log

The next key feature of MDCA, the activity log stores logs from your connected apps, the exact nature of these logs depends on what apps you have connected. It is recommended to connect Microsoft Azure and Microsoft 365, along with any other supported apps you may have in your environment.

Each log entry will generally a few useful items:

• The user
  • If you have imported some user groups the group will show for the user when applicable
• Device information
  • It is uncommon to have useful device information, but sometimes you will get the Entra ID device ID
  • Usually you are only working with the user agent string. While this can be helpful to identify the browser or operating system it can also be unreliable and spoofed. It is pretty common to see an "outdated OS" marked as Windows 7 that is actually something different, and the local application generating the log has a bug or hard-coded user agent strings.
• Location
• IP address
  • Along with any built-in or custom IP address ranges
• Activity information
  • Was this a create, replace, update, or delete operation for example.

If you start investigating something and come up with a set of filters for items you would like to be aware of, or perhaps are likely malicious, consider taking those filters and adding them to an activity policy in policy management. This is where activity logs really shine. Microsoft has a list of policies they recommend here, as well as some templates.

An activity policy can create an alert, send an email, or take some governance actions to help remediate malicious activity.