TEAM: Huntress Managed Identity Threat Detection and Response (ITDR, formerly MDR for Microsoft 365)
ENVIRONMENT: Microsoft Compliance Center
SUMMARY: In order to receive logs from the Microsoft Portal in to the Huntress Portal, audit logging must be enabled.
Inside the Huntress platform, verify that the users' list is populating and updated around onboarding time.
Let's check the state of audit logging for the downstream client tenant.
Microsoft Documentation
As the tenant in question:
- Navigate to https://compliance.microsoft.com
- Left-hand menu, Solutions > Audit
- If blue "Start Recording User and Admin Banner" is present, click to enable.
You can also run the following powershell to enable audit logging
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Please note that Audit Logging enablement may take 24 hours to complete. This is a Microsoft restriction. However, we have seen this complete within an hour typically.
More information around enablement of Audit logging can be located at Microsoft - Turn auditing on or off.