Forum Discussion
Kim Kristensen
Feb 20, 2023Brass Contributor
Old ATP portal - activities overview
Hi, I often use the "Activities" overview in the old ATP portal (When I lookup a user) - it gives a quick overview of what a uses actions. But successful and failed - can often be helpful when troub...
LiorShapira
Microsoft
Feb 21, 2023The new Identity timeline as part of the User page in M365D portal represents activities from MDI/MDE/MDA. The same activities that you're seeing in the legacy portal should be available in the new user timeline too.
In the next coming weeks, an "Activity type" filter will be available, and I assume it will help you to look specifically for failed and successful log on events related to a user.
For any other feedback or question regarding the timeline, please contact me directly and I'll be happy to assist: t-lshapira@microsoft.com
In the next coming weeks, an "Activity type" filter will be available, and I assume it will help you to look specifically for failed and successful log on events related to a user.
For any other feedback or question regarding the timeline, please contact me directly and I'll be happy to assist: t-lshapira@microsoft.com
Jens_Mander
Feb 28, 2023Copper Contributor
Hi ll,
I am also missing the timeline for AD-groups. In the past (in the old portal) I often took a look at timelines of groups to see for example who added users to this group. Is this information still available anywhere? advanced hunting?
Cheers, Jens...
I am also missing the timeline for AD-groups. In the past (in the old portal) I often took a look at timelines of groups to see for example who added users to this group. Is this information still available anywhere? advanced hunting?
Cheers, Jens...
- LiorShapiraFeb 28, 2023
Microsoft
Hi Jens,
Yes, you can use Advanced Hunting to see those changes and look for a specific group.
For example:
IdentityDirectoryEvents
| where ActionType =="Group Membership changed"
| extend RemoveFromGroupName=AdditionalFields['FROM.GROUP']
| extend AddToGroupName=AdditionalFields['TO.GROUP']
| where RemoveFromGroupName =="Users" or AddToGroupName =="Users"
In addition, we are working on adding this information to the User timeline (for both users involved in this activity).- Jens_ManderMar 01, 2023Copper Contributor
this query shows "only" who has been added or removed to/from a group. A bit like described in this article: Track changes to sensitive groups with Advanced Hunting in Microsoft 365 Defender - Microsoft Community Hub
But in the old portal, regarding the timeline of an on-premises Active Directory Group, I also could see who has added/removed the user, even when the group wasn't marked as sensitive.Here a screenshot from "older days".
Cheers, Jens...
- LiorShapiraMar 01, 2023
Microsoft
As I mentioned above, we are working on adding the same information to the new User timeline, and also adding the ability to filter and look for a specific activity such as "group membership changed" (for both sensitive/non-sensitive groups, in Advanced hunting is already for both).
- Jens_ManderFeb 28, 2023Copper ContributorThx alot, will try it soon. Cheers, Jens...