SOLVED

MDATP audit logs

%3CLINGO-SUB%20id%3D%22lingo-sub-1219696%22%20slang%3D%22en-US%22%3EMDATP%20audit%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1219696%22%20slang%3D%22en-US%22%3E%3CP%3EWhere%20can%20we%20see%20audit%20logs%20of%20what%20users%20in%20the%20securitycenter%20portal%20are%20doing%3F%20More%20specifically%2C%20if%20we%20select%20a%20W10%20machine%20and%20go%20to%20'Action%20Center'%2C%20we%20see%2C%20per%20action%2C%20a%20summary%20of%20the%20last%20command%20was%20performed.%20In%20this%20case%2C%20App%20Restriction.%20But%20how%20can%20we%20see%20all%20previous%20App%20Restriction%20commands%20sent%20to%20that%20machine%3F%20I%20only%20see%20the%20latest%20command%20which%20is%20the%20%22app%20restriction%20removal%20removed%22%20but%20I%20also%20want%20to%20see%20who%20performed%20the%20previous%20commands.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKr!%3CBR%20%2F%3EMaarten.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1229310%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20audit%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1229310%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377646%22%20target%3D%22_blank%22%3E%40mclaes%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Elooking%20around%20for%20this%20myself.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1252205%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20audit%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1252205%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377646%22%20target%3D%22_blank%22%3E%40mclaes%3C%2FA%3E%26nbsp%3B%2C%20you%20can%20achieve%20this%20programmatically%20using%20the%26nbsp%3BList%20MachineActions%20API%20(action%20history%20for%20all%20machines)%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fget-machineactions-collection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fget-machineactions-collection%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1254560%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20audit%20logs%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1254560%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F308995%22%20target%3D%22_blank%22%3E%40StephenMcc%3C%2FA%3E%26nbsp%3BThanks!%20So%20easy%2C%20the%20solution%20and%20although%20i've%20been%20using%20the%20graph%20explorer%20api%20alot%2C%20i%20neglected%20to%20look%20at%20the%20MDATP%20api%20explorer%20!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Where can we see audit logs of what users in the securitycenter portal are doing? More specifically, if we select a W10 machine and go to 'Action Center', we see, per action, a summary of the last command was performed. In this case, App Restriction. But how can we see all previous App Restriction commands sent to that machine? I only see the latest command which is the "app restriction removal removed" but I also want to see who performed the previous commands.

 

Kr!
Maarten.

3 Replies
Highlighted

@mclaes 

 

looking around for this myself.

Highlighted
Best Response confirmed by mclaes (Occasional Contributor)
Solution

@mclaes , you can achieve this programmatically using the List MachineActions API (action history for all machines): https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/get-machi...

Highlighted

@StephenMcc Thanks! So easy, the solution and although i've been using the graph explorer api alot, i neglected to look at the MDATP api explorer !