MDATP audit logs

mclaes · ‎Mar 10 2020

Where can we see audit logs of what users in the securitycenter portal are doing? More specifically, if we select a W10 machine and go to 'Action Center', we see, per action, a summary of the last command was performed. In this case, App Restriction. But how can we see all previous App Restriction commands sent to that machine? I only see the latest command which is the "app restriction removal removed" but I also want to see who performed the previous commands.

Kr!
Maarten.

Todd Wilkinson · ‎Mar 15 2020

@mclaes

looking around for this myself.

mclaes · ‎Mar 25 2020

@mclaes , you can achieve this programmatically using the List MachineActions API (action history for all machines): https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/get-machi...

mclaes · ‎Mar 25 2020

@StephenMcc Thanks! So easy, the solution and although i've been using the graph explorer api alot, i neglected to look at the MDATP api explorer !

mattcoons · ‎Aug 03 2021

I'm not seeing that this API shows Live Response session commands, is there another API to get that information?

MTayal · ‎Nov 20 2021

Hi, Can Windows Defender capture all Audit when we are running Surface Hub 2S (which runs Windows Team edition) instead of Pro or Ent

giladkeidar · ‎Nov 21 2021

@mclaes

Another place is the audit node under https://security.microsoft.com/auditlogsearch

Under "Activities" start typing "defender" and you'll see all supported audit activities for MDE

it still not in the same level as with Intune or AAD audit logs (btw: you might find there some of the activities you are looking for).

Screen Shot 2021-11-21 at 16.06.14.png

MDATP audit logs

MDATP audit logs

Re: MDATP audit logs

Re: MDATP audit logs

Re: MDATP audit logs

Re: MDATP audit logs

Re: MDATP audit logs

Re: MDATP audit logs

Products (68)

Special Topics (42)

Video Hub (955)

Most Active Hubs

Most Active Hubs

Video Hub

MDATP audit logs