cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

MDATP audit logs

%3CLINGO-SUB%20id%3D%22lingo-sub-1219696%22%20slang%3D%22en-US%22%3EMDATP%20audit%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1219696%22%20slang%3D%22en-US%22%3E%3CP%3EWhere%20can%20we%20see%20audit%20logs%20of%20what%20users%20in%20the%20securitycenter%20portal%20are%20doing%3F%20More%20specifically%2C%20if%20we%20select%20a%20W10%20machine%20and%20go%20to%20'Action%20Center'%2C%20we%20see%2C%20per%20action%2C%20a%20summary%20of%20the%20last%20command%20was%20performed.%20In%20this%20case%2C%20App%20Restriction.%20But%20how%20can%20we%20see%20all%20previous%20App%20Restriction%20commands%20sent%20to%20that%20machine%3F%20I%20only%20see%20the%20latest%20command%20which%20is%20the%20%22app%20restriction%20removal%20removed%22%20but%20I%20also%20want%20to%20see%20who%20performed%20the%20previous%20commands.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKr!%3CBR%20%2F%3EMaarten.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1229310%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20audit%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1229310%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377646%22%20target%3D%22_blank%22%3E%40mclaes%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Elooking%20around%20for%20this%20myself.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1252205%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20audit%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1252205%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377646%22%20target%3D%22_blank%22%3E%40mclaes%3C%2FA%3E%26nbsp%3B%2C%20you%20can%20achieve%20this%20programmatically%20using%20the%26nbsp%3BList%20MachineActions%20API%20(action%20history%20for%20all%20machines)%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fget-machineactions-collection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fget-machineactions-collection%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1254560%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20audit%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1254560%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F308995%22%20target%3D%22_blank%22%3E%40StephenMcc%3C%2FA%3E%26nbsp%3BThanks!%20So%20easy%2C%20the%20solution%20and%20although%20i've%20been%20using%20the%20graph%20explorer%20api%20alot%2C%20i%20neglected%20to%20look%20at%20the%20MDATP%20api%20explorer%20!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2606245%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20audit%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2606245%22%20slang%3D%22en-US%22%3EI'm%20not%20seeing%20that%20this%20API%20shows%20Live%20Response%20session%20commands%2C%20is%20there%20another%20API%20to%20get%20that%20information%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2989529%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20audit%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2989529%22%20slang%3D%22en-US%22%3EHi%2C%20Can%20Windows%20Defender%20capture%20all%20Audit%20when%20we%20are%20running%20Surface%20Hub%202S%20(which%20runs%20Windows%20Team%20edition)%20instead%20of%20Pro%20or%20Ent%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2990295%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20audit%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2990295%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377646%22%20target%3D%22_blank%22%3E%40mclaes%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnother%20place%20is%20the%20audit%20node%20under%20%3CA%20href%3D%22https%3A%2F%2Fsecurity.microsoft.com%2Fauditlogsearch%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsecurity.microsoft.com%2Fauditlogsearch%3C%2FA%3E%3C%2FP%3E%3CP%3EUnder%20%22%3CSPAN%3EActivities%22%20start%26nbsp%3Btyping%20%22defender%22%20and%20you'll%20see%20all%20supported%20audit%20activities%20for%20MDE%3C%2FSPAN%3E%3C%2FP%3E%3CP%3Eit%20still%20not%20in%20the%20same%20level%20as%20with%20Intune%20or%20AAD%20audit%20logs%20(btw%3A%20you%20might%20find%20there%20some%20of%20the%20activities%20you%20are%20looking%20for).%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screen%20Shot%202021-11-21%20at%2016.06.14.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F328418i66EC7533EC7579FE%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Screen%20Shot%202021-11-21%20at%2016.06.14.png%22%20alt%3D%22Screen%20Shot%202021-11-21%20at%2016.06.14.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
mclaes
Occasional Contributor

‎Mar 10 2020 05:28 AM

‎Mar 10 2020 05:28 AM

MDATP audit logs

Where can we see audit logs of what users in the securitycenter portal are doing? More specifically, if we select a W10 machine and go to 'Action Center', we see, per action, a summary of the last command was performed. In this case, App Restriction. But how can we see all previous App Restriction commands sent to that machine? I only see the latest command which is the "app restriction removal removed" but I also want to see who performed the previous commands.

 

Kr!
Maarten.

6,882 Views
1 Like
6 Replies
Reply
6 Replies
Todd Wilkinson

‎Mar 15 2020 06:05 AM

‎Mar 15 2020 06:05 AM

Re: MDATP audit logs

@mclaes 

 

looking around for this myself.

0 Likes
Reply
best response confirmed by mclaes (Occasional Contributor)
StephenMcc

‎Mar 25 2020 06:44 AM

‎Mar 25 2020 06:44 AM

Solution

Re: MDATP audit logs

@mclaes , you can achieve this programmatically using the List MachineActions API (action history for all machines): https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/get-machi...

0 Likes
Reply
mclaes

‎Mar 25 2020 11:57 PM

‎Mar 25 2020 11:57 PM

Re: MDATP audit logs

@StephenMcc Thanks! So easy, the solution and although i've been using the graph explorer api alot, i neglected to look at the MDATP api explorer !

1 Like
Reply
mattcoons

‎Aug 03 2021 10:51 AM

‎Aug 03 2021 10:51 AM

Re: MDATP audit logs

I'm not seeing that this API shows Live Response session commands, is there another API to get that information?
1 Like
Reply
MTayal

‎Nov 20 2021 09:55 PM

‎Nov 20 2021 09:55 PM

Re: MDATP audit logs

Hi, Can Windows Defender capture all Audit when we are running Surface Hub 2S (which runs Windows Team edition) instead of Pro or Ent
0 Likes
Reply
giladkeidar

‎Nov 21 2021 06:12 AM

‎Nov 21 2021 06:12 AM

Re: MDATP audit logs

@mclaes 

Another place is the audit node under https://security.microsoft.com/auditlogsearch

Under "Activities" start typing "defender" and you'll see all supported audit activities for MDE

it still not in the same level as with Intune or AAD audit logs (btw: you might find there some of the activities you are looking for).

Screen Shot 2021-11-21 at 16.06.14.png

0 Likes
Reply