https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-analytics-data-source/m-p/1229122#M8309 <P><SPAN><A class="relative pointer-events-auto a cursor-pointer underline " href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/BitLocker-key-retrieval" target="_blank" rel="noopener nofollow ugc">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/BitLocker-key-retrieval</A>&nbsp;<A class="relative pointer-events-auto a cursor-pointer underline " href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/Exchange-mailbox-audit-bypass" target="_blank" rel="noopener nofollow ugc">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/Exchange-mailbox-audit-bypass</A>&nbsp;In the Analytics Alert reference guide- there is a reference to "AzureAD Audit Log" and "Office 365 Audit". Which Collection Integrations do I have to use to get these logs?&nbsp; Looking to have full coverage over all the identity threat ITDR alerts that mentions Required data as "Office 365 Audit" and "AzureAD Audit Log". I think configuring all the options in both the Collection Integrations&nbsp; "Azure Event Hub" and "Office 365" might cause some duplicates which might affect analytics. Do anyone know what config I can use to only cover the ITDR alerts with required data mentioned as "Office 365 Audit" and "AzureAD Audit Log"?</SPAN></P> Thu, 15 May 2025 04:37:46 GMT bridgetlitt 2025-05-15T04:37:46Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-analytics-data-source/m-p/1229122#M8309 <P><SPAN><A class="relative pointer-events-auto a cursor-pointer underline " href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/BitLocker-key-retrieval" target="_blank" rel="noopener nofollow ugc">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/BitLocker-key-retrieval</A>&nbsp;<A class="relative pointer-events-auto a cursor-pointer underline " href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/Exchange-mailbox-audit-bypass" target="_blank" rel="noopener nofollow ugc">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/Exchange-mailbox-audit-bypass</A>&nbsp;In the Analytics Alert reference guide- there is a reference to "AzureAD Audit Log" and "Office 365 Audit". Which Collection Integrations do I have to use to get these logs?&nbsp; Looking to have full coverage over all the identity threat ITDR alerts that mentions Required data as "Office 365 Audit" and "AzureAD Audit Log". I think configuring all the options in both the Collection Integrations&nbsp; "Azure Event Hub" and "Office 365" might cause some duplicates which might affect analytics. Do anyone know what config I can use to only cover the ITDR alerts with required data mentioned as "Office 365 Audit" and "AzureAD Audit Log"?</SPAN></P> Thu, 15 May 2025 04:37:46 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-analytics-data-source/m-p/1229122#M8309 bridgetlitt 2025-05-15T04:37:46Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-analytics-data-source/m-p/1229514#M8320 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/710084109">@bridgetlitt</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for reaching out to us. In Office 365 log collection integration there is option to select Azure AD activity logs. Hence to avoid duplication of data Office 365 integration will be better.</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 20 May 2025 17:07:54 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-analytics-data-source/m-p/1229514#M8320 nsinghvirk 2025-05-20T17:07:54Z