Audit and Compliance Page
The Audit and Compliance page in the Investigations interface list of saved out-of-the-box investigations with applied filters for commonly used Audit and Compliance activity reports.
The table displays the list of investigations with the following columns:
- Name – The name of the investigation
- Threat – The check mark indicates that a Threat has been configured for this investigation
- Favorite – The check mark indicates that the investigation has been tagged as a favorite for the logged in user
Click an investigation to view it. You can run the query, modify the configuration, add a subscription, or export the report. See the Investigation Options topic for additional information on saved investigation options.
Every report generated by an investigation query displays the same type of information. See the Investigation Reports topic for additional information.
By default, this folder contains the following saved investigations:
| Investigation | Description | Filters |
|---|---|---|
| AD Changes | All Active Directory changes | One filter statement set: - Attribute = Event Operation - Operator = Equals - Filter = Active Directory Change |
| AD Changes by Domain Admins | All Active Directory changes by Domain Admins | Two filter statements set: - Attribute 1 = Event Operation - Operator 1 = Equals - Filter 1 = Active Directory Change AND - Attribute 2 = Tag (Effective) - Operator 2 = Equals - Filter 2 = Domain Admin |
| AD Logins | Active Directory logins including Kerberos and NTLM authentication | One filter statement set: - Attribute = Event Operation - Operator = Equals - Filter = Active Directory Authentication |
| All Events | New Investigation | No filters set |
| Confirmed Compromised Account Activity | Occurs when a Confirmed Compromised Account is being active within an Entra ID tenant | One filter statement set: - Attribute = Tag (Direct) - Operator = Equals - Filter 1 = Confirmed Compromised |
| Failed AD Logins | All failed Active Directory logins including Kerberos and NTLM authentication | Two filter statements set: - Attribute 1 = Event Operation - Operator 1 = Equals - Filter 1 = Active Directory Authentication AND - Attribute 2 = Success - Operator 2 = Equals - Filter 2 = false |
| Failed Entra ID Logins | Occurs when an Entra ID login attempt has failed | Two filter statements set: - Attribute = Event Operation - Operator = Equals - Filter 1 = EntraID Sign-In And - Attribute = Success - Operator = Equals - Filter 2 = False |
| LDAP Search | All LDAP search events | One filter statement set: - Attribute = Event Operation - Operator = Equals - Filter = LDAP Search |
| Privileged Account Activity | All activity by privileged accounts | One filter statement set: - Attribute = Tag (Direct) - Operator = Equals - Filter = Privileged |
| Risky User Activity | Occurs when a Risky User is being active within an Entra ID tenant | One filter statement set: Attribute = Tag (Direct) Operator = Equals Filter 1 = At Risk |
| Service Account Activity | All activity by service accounts | One filter statement set: - Attribute = Tag (Direct) - Operator = Equals - Filter = Service Account |
| Watchlist User Activity | All activity by watchlist users | One filter statement set: - Attribute = Tag (Effective) - Operator = Equals - Filter = Watchlist |
You can save additional investigations to this folder.