/
Viewing records of ATR actions for Microsoft Defender XDR

Viewing records of ATR actions for Microsoft Defender XDR

Microsoft Defender XDR was previously known as Microsoft 365 Defender.

Every action carried out by ATR is detailed in the alert body and logged in the Audit Log in the Barracuda XDR Dashboard.

For automated actions, the user is listed as xdr.automation.

For manual actions, the source user is listed.

The potential actions are:

  • Microsoft 365 Defender Start Isolate Device

  • Microsoft 365 Defender Start Unisolate Device

  • Endpoint Device Isolation Result

To view records of ATR actions

  1. In XDR Dashboard, click ATR Settings > Endpoint.

  2. Click View Audit History.

This takes you to the Administration > Audit Log page. Filtering is applied to show you only ATR actions.

You can also view records of ATR actions on the Administration > Audit Log page by filtering the page on the Action field by:

  • Microsoft 365 Defender Start Isolate Device

  • Microsoft 365 Defender Start Unisolate Device

  • Endpoint Device Isolation Result

We value your feedback.
If you have questions, suggestions, or feedback on our documentation, contact the Campus Product Documentation team.
For general product inquiries or technical support, please contact the global Barracuda Support team.