Change in Activity Log experience for activities older than 30 days
Microsoft Defender for Cloud Apps is making some changes to the Activity Log experience to align with Microsoft 365 Defender for upcoming unified investigation and hunting experiences. Activity log queries will apply to activities logged in the last 30 days.
Note: All activities will continue to be retained for 180 days.
When will this happen:
On April 1, 2022, Activity Log existing filters will query all activities logged in the last 30 days.
How this will affect your organization:
To query older activities, you should navigate to Activity Log and click on “Investigate 6 months back” on the top right-hand corner of the screen. From there you will define the filters as normally done with Activity Log.
The following filters will be supported:
- Username
- Activity type
- IP address
- Application
- Location
- Activity ID
The supported operators are equal, not equal. Other filters and operators will not be available when defining a query for activities older than 30 days.
In addition to the changes in the Activity Log there will be a change in the Activities API – which will return only activities from the past 30 days.
What you need to do to prepare:
For additional information, refer to the product documentation (documentation will be updated on April 1 upon rollout).
Message ID: MC343059
No comments yet