Forum Discussion
rspletzer
May 14, 2020Copper Contributor
Subject Account from Event Logs Not Shown for Directory Services Changes
Hi, is there a reason the subject is not shown in Azure ATP for certain changes like an administrative password reset, group renames or membership changes?
For example this is in our event log:
And this is what we see in Azure ATP -- even if you export the xslx log it doesn't show more than this, which doesn't include the subject from above:
- EliOfek
Microsoft
rspletzer Currently we read those changes remotely from AD, by following usn changes, sadly AD itself does not keep or publishes the data of who made the change to easily read it.
You are correct that it's technically possible to read the data from event logs, but those create other limitations and do not always work.
AATP main focus is alerting on threats and not being a full AD auditing system...
But you are welcome to submit the feedback on the missing data toAatpFeedback@microsoft.com