Device Timeline - Defender 365 - 'Print' events

Question

Hello&nbsp;I really see much&nbsp;value with the P2 feature of Timeline.&nbsp; I have visibility into pretty much all functions on the desktop.&nbsp; The one event I'm not seeing are Print events.&nbsp; Basically, I'm looking to see when a document is printed,&nbsp;and the details of the document name and printer used to print the document.&nbsp; Is there a toggle somewhere that needs to be turned on to enable these events.&nbsp;&nbsp;&nbsp;Thanks&nbsp;

sabbir_rubayat · Accepted Answer

Though this thing can be managed by intune but You can use the PnP event to find the USB printer used in the organization:

//find the USB Printer VID/PID
DeviceEvents
| where ActionType == "PnpDeviceConnected"
| extend parsed=parse_json(AdditionalFields)
| extend DeviceDescription = tostring(parsed.DeviceDescription)
| extend PrinterDeviceId = tostring(parsed.DeviceId)
| extend VID_PID_Array = split(split(PrinterDeviceId, "\\")[1], "&")
| extend VID_PID = replace_string(strcat(VID_PID_Array[0], '/', VID_PID_Array[1]), 'VID_', '')
| extend VID_PID = replace_string(VID_PID, 'PID_', '')
| extend ClassId = tostring(parsed.ClassId)
| extend VendorIds = tostring(parsed.VendorIds)
| where DeviceDescription == 'USB Printing Support'
| project Timestamp , DeviceId, DeviceName, ActionType, DeviceDescription, VID_PID, ClassId, PrinterDeviceId, VendorIds, parsed
| order by Timestamp desc

Please mark helpful if you find my comment helpful

Forum Discussion

Device Timeline - Defender 365 - 'Print' events

Share

Resources