Forum Discussion

rspletzer's avatar
rspletzer
Copper Contributor
May 14, 2020

Subject Account from Event Logs Not Shown for Directory Services Changes

Hi, is there a reason the subject is not shown in Azure ATP for certain changes like an administrative password reset, group renames or membership changes?

 

For example this is in our event log:

And this is what we see in Azure ATP -- even if you export the xslx log it doesn't show more than this, which doesn't include the subject from above:

 

  • rspletzer Currently we read those changes remotely from AD, by following usn changes, sadly AD itself does not keep or publishes the data  of who made the change to easily read it.

    You are correct that it's technically possible to read the data from event logs, but those create other limitations and do not always work. 
    AATP main focus is alerting on threats and not being a full AD auditing system...
    But you are welcome to submit the feedback on the missing data to

    AatpFeedback@microsoft.com

Resources