Forum Discussion

Kim Kristensen's avatar
Kim Kristensen
Brass Contributor
Feb 20, 2023

Old ATP portal - activities overview

Hi,

I often use the "Activities" overview in the old ATP portal (When I lookup a user) - it gives a quick overview of what a uses actions. But successful and failed - can often be helpful when troubleshooting.

 

But since the ATP portal is being redirected to the security portal - where do I find similar information in the security portal?

There is a timeline under the user page - but that info seems to come from cloud app security and doesn't contain the same information.

  • AzureGuineaPig's avatar
    AzureGuineaPig
    Copper Contributor
    The best thing MS can do is bring back the activities timeline view, with all the "security alerts" and "activities by type" categories in a single pain of glass.
  • The new Identity timeline as part of the User page in M365D portal represents activities from MDI/MDE/MDA. The same activities that you're seeing in the legacy portal should be available in the new user timeline too.
    In the next coming weeks, an "Activity type" filter will be available, and I assume it will help you to look specifically for failed and successful log on events related to a user.
    For any other feedback or question regarding the timeline, please contact me directly and I'll be happy to assist: t-lshapira@microsoft.com
    • Jens_Mander's avatar
      Jens_Mander
      Copper Contributor
      Hi ll,
      I am also missing the timeline for AD-groups. In the past (in the old portal) I often took a look at timelines of groups to see for example who added users to this group. Is this information still available anywhere? advanced hunting?
      Cheers, Jens...
      • LiorShapira's avatar
        LiorShapira
        Icon for Microsoft rankMicrosoft

        Hi Jens,
        Yes, you can use Advanced Hunting to see those changes and look for a specific group.
        For example:
        IdentityDirectoryEvents
        | where ActionType =="Group Membership changed"
        | extend RemoveFromGroupName=AdditionalFields['FROM.GROUP']
        | extend AddToGroupName=AdditionalFields['TO.GROUP']
        | where RemoveFromGroupName =="Users" or AddToGroupName =="Users"

        In addition, we are working on adding this information to the User timeline (for both users involved in this activity).

Resources