Threat Investigation with Defender XDR and Purview Audit

When a security incident occurs, speed and accuracy in tracking an attacker's footprint are critical. Understanding how to navigate and analyze audit logs is the key to identifying compromised accounts, data exfiltration, and unauthorized system changes. This written course equips you with the foundational skills to perform threat investigations using Defender XDR and Purview Standard. You will learn how to systematically search audit records, reconstruct security events, and turn raw log data into actionable threat intelligence. What you'll learn: Understand foundational auditing concepts and how they support a modern zero-trust security posture; Configure and manage audit logging policies within Defender XDR and Purview; Search the Purview Universal Audit Log (UAL) to track suspicious user and administrator activities; Analyze log data to identify indicators of compromise (IoCs) and unauthorized access; Investigate email, document, and cloud-app threats using structured search queries; Practice interpreting audit records to reconstruct the timeline of a security incident. This course begins with essential security terminology and the fundamentals of auditing before guiding you through search strategies, log analysis techniques, and practical incident reconstruction scenarios. Designed for beginner security analysts, IT administrators, and compliance professionals, this course requires no prior experience with threat hunting. Start reading today to build your threat investigation skills and secure your organization's infrastructure.