Once Azure Log Connector is installed, configured, and collecting data, all Azure and Microsoft 365 audit activity is available to view, search, and analyze in the LT Auditor MP Web UI. This article covers how to access and navigate the collected data for day-to-day monitoring.
Accessing Azure Log Connector event data:
- Log in to the LT Auditor MP Web UI
- Navigate to View in the main navigation menu
- Select a saved Azure Log Connector view from the list, or create a new one:
- Click Create View
- Set the Environment to your Azure Log Connector environment
- Set the Category to the relevant log category
- Configure your preferred default date range
- Click Save
- The log table populates with events collected from your Azure and Microsoft 365 tenant
Recommended saved views to create:
| View Name | Category | Default Filter |
| All Azure Sign-Ins | Sign-In Logs | None |
| Failed Sign-Ins | Sign-In Logs | Status = Failed |
| Risky Sign-Ins | Risky Sign-Ins | None |
| Entra ID Audit Events | Entra ID Audit Logs | None |
| Privileged Role Changes | Entra ID Audit Logs | Operation Contains role |
| SharePoint Activity | SharePoint Online Logs | None |
| OneDrive Activity | OneDrive Logs | None |
| Administrative Activity | Entra ID Audit Logs | Operation Contains admin |
[Your administrator should create and share these views with the team so everyone has a consistent starting point for Azure monitoring.]
Filtering events:
Filter by log category: Select the view configured for the relevant category, or apply a category filter:
- Click Advanced Filters
- Add a condition:
- Field — Category
- Operator — Equals
- Value — the category name (e.g., Sign-In Logs, SharePoint Online Logs)
- Click Apply Filters
Filter by user:
- Click Advanced Filters
- Add a condition:
- Field — User or UPN
- Operator — Equals or Contains
- Value — the user’s UPN (e.g., jsmith@company.com)
- Click Apply Filters
Filter by sign-in status:
- Click Advanced Filters
- Add a condition:
- Field — Status
- Operator — Equals
- Value — Success or Failed
- Click Apply Filters
Filter by IP address:
- Click Advanced Filters
- Add a condition:
- Field — IP Address
- Operator — Equals or Contains
- Value — the IP address to investigate
- Click Apply Filters
Filter by location:
- Click Advanced Filters
- Add a condition:
- Field — Location or Country
- Operator — Equals or Contains
- Value — the country or city to filter by
- Click Apply Filters
Filter by application:
- Click Advanced Filters
- Add a condition:
- Field — Application
- Operator — Equals or Contains
- Value — the application name (e.g., SharePoint, Microsoft Teams, Exchange Online)
- Click Apply Filters
Filter by operation (Entra ID Audit Logs):
- Click Advanced Filters
- Add a condition:
- Field — Operation
- Operator — Equals or Contains
- Value — the operation to filter by (e.g., Add member to role, Create user, Reset password)
- Click Apply Filters
Viewing full event details:
- Click on any event row in the log table
- The detail panel opens and displays:
- User — the UPN of the user involved
- Operation — the specific action that occurred
- Status — success or failure
- Timestamp — when the event occurred
- IP Address — the source IP address
- Location — the geographic location associated with the IP address
- Application — the Microsoft application involved
- Category — the log category (Sign-In, Audit, SharePoint, OneDrive, etc.)
- Risk Level — the risk level assigned by Entra ID Identity Protection (if applicable)
- Raw Log — the original event record forwarded by Azure Log Connector
- Click Close to return to the log table
Monitoring SharePoint Online and OneDrive activity:
Azure Log Connector is the only module in LT Auditor MP that collects Microsoft 365 collaboration activity. Use the SharePoint and OneDrive views to:
- Track file access, downloads, and sharing activity
- Identify files shared externally or with unauthorized users
- Monitor permission changes on sensitive SharePoint sites or document libraries
- Detect large-scale file downloads that may indicate data exfiltration
- Review OneDrive sync activity across user accounts
SharePoint and OneDrive events are collected with a default delay of 30 minutes to allow Microsoft 365 audit events sufficient time to become available in the Office 365 Management API. Events may not appear in LT Auditor MP immediately after they occur.
Monitoring privileged activity:
To view all role assignment and administrative activity in Entra ID:
- Select the Entra ID Audit Logs view
- Apply a filter:
- Field — Operation
- Operator — Contains
- Value — role
- Click Apply Filters
- Review all events involving role assignments and changes
Exporting event data:
- Apply your desired filters and date range
- Click the Export button
- Choose your format:
- CSV — for Excel or data analysis tools
- Excel — native Excel format
- PDF — for audit submission or management reporting
- Configure export options as needed
- Click Download
For large sign-in log exports covering extended date ranges, consider scheduling a report rather than exporting directly from the view.
Best practices:
- Create and save dedicated views for your most common Azure monitoring scenarios so investigators have a consistent starting point
- Review failed sign-in and risky sign-in data regularly as part of your security operations routine
- Use the SharePoint and OneDrive views proactively to identify unusual file sharing or access patterns
- Set a specific date range before searching — open-ended queries across large sign-in log datasets can be slow
- Export and retain event data related to security incidents promptly before retention policies remove older records
[Your administrator should establish a standard daily or weekly Azure monitoring review checklist for the security team, covering failed sign-ins, risky sign-ins, privileged role changes, and SharePoint sharing activity at a minimum.]