Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

MDATP audit logs

Brass Contributor

Where can we see audit logs of what users in the securitycenter portal are doing? More specifically, if we select a W10 machine and go to 'Action Center', we see, per action, a summary of the last command was performed. In this case, App Restriction. But how can we see all previous App Restriction commands sent to that machine? I only see the latest command which is the "app restriction removal removed" but I also want to see who performed the previous commands.

 

Kr!
Maarten.

6 Replies

@mclaes 

 

looking around for this myself.

best response confirmed by mclaes (Brass Contributor)
Solution

@mclaes , you can achieve this programmatically using the List MachineActions API (action history for all machines): https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/get-machi...

@StephenMcc Thanks! So easy, the solution and although i've been using the graph explorer api alot, i neglected to look at the MDATP api explorer !

I'm not seeing that this API shows Live Response session commands, is there another API to get that information?
Hi, Can Windows Defender capture all Audit when we are running Surface Hub 2S (which runs Windows Team edition) instead of Pro or Ent

@mclaes 

Another place is the audit node under https://security.microsoft.com/auditlogsearch

Under "Activities" start typing "defender" and you'll see all supported audit activities for MDE

it still not in the same level as with Intune or AAD audit logs (btw: you might find there some of the activities you are looking for).

Screen Shot 2021-11-21 at 16.06.14.png

1 best response

Accepted Solutions
best response confirmed by mclaes (Brass Contributor)
Solution

@mclaes , you can achieve this programmatically using the List MachineActions API (action history for all machines): https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/get-machi...

View solution in original post