Detect for O365 is able to identify attacker behaviors related to Azure AD federated applications, the Azure AD backend, and deep O365 functionality.
Analysts looking to perform a deeper investigation into a Vectra O365 or Azure AD alert can leverage Microsoft's native audit log's search. This tool allows for analysts to review the events that caused Vectra to trigger and any events before or after the identified behavior.
Users can access the Audit Log search from the compliance section of the Microsoft console with their Microsoft credentials. Note that access to this functionality may require additional permission that can be granted by an Azure AD admin.
In the left pane of the Security & Compliance Center, click Search, and then click Audit log search.
The Audit log search page is displayed.