Microsoft Defender for Identity monitored activities search and filter

Note

The experience described in this page can be accessed at https://security.microsoft.com as part of Microsoft Defender XDR.

Activities detected by Defender for Identity on your network can be searched and filtered for easy drill-down and organization during your research and investigation into security alerts.

From the Defender for Identity timeline, select any entity in your network (DC, machine, or user) as the filter access point. Next, select to filter by the Security Alert, Activity type, or any combination. Once the filter is applied, the threat timeline of the entity is updated with the filtered information. Your filtered alerts and activities can also be downloaded to continue your investigation or tracking in other tools.

Filter alerts and activities.

To filter alerts and activities:

  1. Select the entity to investigate from the Defender for Identity timeline.
  2. Click Filter by, then select the alerts and/or activities to filter.
  3. Click Apply. The entity timeline is updated according to the filters you selected.
  4. To download the filtered activities, click Download activities and select the date range for your download report.
  5. To reset the entity timeline to display all alerts and activities, click Reset or close the filter.

See Also