cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

ATP Legacy portal to defeder > missing events in timeline

erregei
Copper Contributor

‎Mar 07 2023 12:10 AM

‎Mar 07 2023 12:10 AM

ATP Legacy portal to defeder > missing events in timeline

Hello everyone,

after the old ATP portal has has been closed and redirect to Defender portal I can't find the changes that has been done on user or computers.

For example: I was able to see, on an identity, who added that to a group, removed from a group and other changes to attributes, in the Azure timeline I see only activities related to security incident/alerts.

Where do I find those information now?

 

Thanks
CC

5,442 Views
0 Likes
23 Replies
Reply
23 Replies
kinanoman

‎Jul 14 2023 07:39 AM

‎Jul 14 2023 07:39 AM

Re: ATP Legacy portal to defeder > missing events in timeline

@LiorShapiraImportant modification logs such as updates to expirydates and changes to on-prem users distinguishedname are logs that were in the Classic MDI Portal. They are not in the Defender portal. Is there any other way for us to view these on-prem specific logs as they are crucial in our environment.

Thanks

0 Likes
Reply
Kim Kristensen

‎Jul 24 2023 01:19 AM

‎Jul 24 2023 01:19 AM

Re: ATP Legacy portal to defeder > missing events in timeline

Today I needed to look at changes made to an AD group. I used to lookup the group in the MDI portal and could very easily see the changes.
I cannot find any way of doing this in the Defender portal?? I can search the group and see general info about it - but no auditing of changes.
0 Likes
Reply
kinanoman

‎Aug 10 2023 03:32 AM

‎Aug 10 2023 03:32 AM

Re: ATP Legacy portal to defeder > missing events in timeline

Exactly. Can anyone is MS tell us how to view these events in the new Defender Portal?
@LiorShapira
0 Likes
Reply
LiorShapira

‎Aug 10 2023 04:13 AM

‎Aug 10 2023 04:13 AM

Re: ATP Legacy portal to defeder > missing events in timeline

@kinanoman The user timeline in M365D portal contains group membership activities such as adding/removing the user from an AD group.

Additionally, you can use Advanced hunting to find a group related activities from the last 30 days. For example, the query below presents group membership activities. 
I can share that we are working on creating a full group page, including a timeline of related activities and alerts, which will be available in the next coming months. 

IdentityDirectoryEvents
| where ActionType == 'Group Membership changed'
| extend ToGroup = tostring(parse_json(AdditionalFields).['TO.GROUP']) // Extracts the group name if action is add enity to a group.
| extend FromGroup = tostring(parse_json(AdditionalFields).['FROM.GROUP']) // Exracts the group name if action is remove entity from a group.
| extend GroupMembershipAction = iff(isempty(ToGroup), 'Remove', 'Add') // Calculates if the action is Remove or Add
| extend GroupSidtoAddTo = tostring(parse_json(AdditionalFields).['TO.GROUP_SID'])
| extend GroupSidtoRemoveFrom = tostring(parse_json(AdditionalFields).['FROM.GROUP_SID'])
| extend GroupModified = iff(isempty(ToGroup), FromGroup, ToGroup) // Group name that the action was taken on
| extend GroupModifiedSid = iff(isempty(GroupSidtoAddTo), GroupSidtoRemoveFrom, GroupSidtoAddTo)
| extend Actor = tostring(parse_json(AdditionalFields).['ACTOR.ACCOUNT']) // Extract the actor account name who performed the action
| extend TargetUser = tostring(parse_json(AdditionalFields).['TARGET_OBJECT.USER'])
| extend TargetDevice = tostring(parse_json(AdditionalFields).['TARGET_OBJECT.DEVICE'])
| extend TargetGroupToAddRemove = tostring(parse_json(AdditionalFields).['TARGET_OBJECT.GROUP']) // Extracts the group name if action is add/remove group entity to/from a group.
| extend Target_Group_Sid_Directory = iff((isnotempty(GroupSidtoRemoveFrom)), GroupSidtoRemoveFrom, GroupSidtoAddTo)
| extend TargetAccount = case (
    isnotempty(TargetUser), TargetUser,
    isnotempty(TargetDevice), TargetDevice,
    TargetGroupToAddRemove
)
| extend TargetType = case (
    isnotempty(TargetUser), 'User',
    isnotempty(TargetDevice), 'Device',
    'Group'
)
| project Timestamp, ActionType, GroupMembershipAction, GroupModified, GroupModifiedSid, TargetType, DC=DestinationDeviceName, Actor, ActorDomain=AccountDomain, AdditionalFields
| order by Timestamp desc

 

0 Likes
Reply