Forum Discussion

erregei's avatar
erregei
Copper Contributor
Mar 07, 2023
Solved

ATP Legacy portal to defeder > missing events in timeline

Hello everyone, after the old ATP portal has has been closed and redirect to Defender portal I can't find the changes that has been done on user or computers. For example: I was able to see, on an ...
  • Kim Kristensen's avatar
    Kim Kristensen
    Mar 08, 2023
    You can disable the redirection to the new portal 🙂 I guess this will be removed at some point.
    In the Defender portal -> Settings -> Identities -> Portal redirection,
kinanoman's avatar
kinanoman
Copper Contributor
Aug 10, 2023
Exactly. Can anyone is MS tell us how to view these events in the new Defender Portal?
LiorShapira
LiorShapira's avatar
LiorShapira
Icon for Microsoft rankMicrosoft
Aug 10, 2023

kinanoman The user timeline in M365D portal contains group membership activities such as adding/removing the user from an AD group.

Additionally, you can use Advanced hunting to find a group related activities from the last 30 days. For example, the query below presents group membership activities. 
I can share that we are working on creating a full group page, including a timeline of related activities and alerts, which will be available in the next coming months. 

IdentityDirectoryEvents
| where ActionType == 'Group Membership changed'
| extend ToGroup = tostring(parse_json(AdditionalFields).['TO.GROUP']) // Extracts the group name if action is add enity to a group.
| extend FromGroup = tostring(parse_json(AdditionalFields).['FROM.GROUP']) // Exracts the group name if action is remove entity from a group.
| extend GroupMembershipAction = iff(isempty(ToGroup), 'Remove', 'Add') // Calculates if the action is Remove or Add
| extend GroupSidtoAddTo = tostring(parse_json(AdditionalFields).['TO.GROUP_SID'])
| extend GroupSidtoRemoveFrom = tostring(parse_json(AdditionalFields).['FROM.GROUP_SID'])
| extend GroupModified = iff(isempty(ToGroup), FromGroup, ToGroup) // Group name that the action was taken on
| extend GroupModifiedSid = iff(isempty(GroupSidtoAddTo), GroupSidtoRemoveFrom, GroupSidtoAddTo)
| extend Actor = tostring(parse_json(AdditionalFields).['ACTOR.ACCOUNT']) // Extract the actor account name who performed the action
| extend TargetUser = tostring(parse_json(AdditionalFields).['TARGET_OBJECT.USER'])
| extend TargetDevice = tostring(parse_json(AdditionalFields).['TARGET_OBJECT.DEVICE'])
| extend TargetGroupToAddRemove = tostring(parse_json(AdditionalFields).['TARGET_OBJECT.GROUP']) // Extracts the group name if action is add/remove group entity to/from a group.
| extend Target_Group_Sid_Directory = iff((isnotempty(GroupSidtoRemoveFrom)), GroupSidtoRemoveFrom, GroupSidtoAddTo)
| extend TargetAccount = case (
    isnotempty(TargetUser), TargetUser,
    isnotempty(TargetDevice), TargetDevice,
    TargetGroupToAddRemove
)
| extend TargetType = case (
    isnotempty(TargetUser), 'User',
    isnotempty(TargetDevice), 'Device',
    'Group'
)
| project Timestamp, ActionType, GroupMembershipAction, GroupModified, GroupModifiedSid, TargetType, DC=DestinationDeviceName, Actor, ActorDomain=AccountDomain, AdditionalFields
| order by Timestamp desc

 

Resources