SOLVED

MDATP audit logs

Occasional Contributor

Where can we see audit logs of what users in the securitycenter portal are doing? More specifically, if we select a W10 machine and go to 'Action Center', we see, per action, a summary of the last command was performed. In this case, App Restriction. But how can we see all previous App Restriction commands sent to that machine? I only see the latest command which is the "app restriction removal removed" but I also want to see who performed the previous commands.

 

Kr!
Maarten.

3 Replies

@mclaes 

 

looking around for this myself.

best response confirmed by mclaes (Occasional Contributor)
Solution

@mclaes , you can achieve this programmatically using the List MachineActions API (action history for all machines): https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/get-machi...

@StephenMcc Thanks! So easy, the solution and although i've been using the graph explorer api alot, i neglected to look at the MDATP api explorer !