Mar 07 2023 12:10 AM
Hello everyone,
after the old ATP portal has has been closed and redirect to Defender portal I can't find the changes that has been done on user or computers.
For example: I was able to see, on an identity, who added that to a group, removed from a group and other changes to attributes, in the Azure timeline I see only activities related to security incident/alerts.
Where do I find those information now?
Thanks
CC
Jul 14 2023 07:39 AM
@LiorShapiraImportant modification logs such as updates to expirydates and changes to on-prem users distinguishedname are logs that were in the Classic MDI Portal. They are not in the Defender portal. Is there any other way for us to view these on-prem specific logs as they are crucial in our environment.
Thanks
Jul 24 2023 01:19 AM
Aug 10 2023 03:32 AM
Aug 10 2023 04:13 AM
@kinanoman The user timeline in M365D portal contains group membership activities such as adding/removing the user from an AD group.
Additionally, you can use Advanced hunting to find a group related activities from the last 30 days. For example, the query below presents group membership activities.
I can share that we are working on creating a full group page, including a timeline of related activities and alerts, which will be available in the next coming months.
IdentityDirectoryEvents
| where ActionType == 'Group Membership changed'
| extend ToGroup = tostring(parse_json(AdditionalFields).['TO.GROUP']) // Extracts the group name if action is add enity to a group.
| extend FromGroup = tostring(parse_json(AdditionalFields).['FROM.GROUP']) // Exracts the group name if action is remove entity from a group.
| extend GroupMembershipAction = iff(isempty(ToGroup), 'Remove', 'Add') // Calculates if the action is Remove or Add
| extend GroupSidtoAddTo = tostring(parse_json(AdditionalFields).['TO.GROUP_SID'])
| extend GroupSidtoRemoveFrom = tostring(parse_json(AdditionalFields).['FROM.GROUP_SID'])
| extend GroupModified = iff(isempty(ToGroup), FromGroup, ToGroup) // Group name that the action was taken on
| extend GroupModifiedSid = iff(isempty(GroupSidtoAddTo), GroupSidtoRemoveFrom, GroupSidtoAddTo)
| extend Actor = tostring(parse_json(AdditionalFields).['ACTOR.ACCOUNT']) // Extract the actor account name who performed the action
| extend TargetUser = tostring(parse_json(AdditionalFields).['TARGET_OBJECT.USER'])
| extend TargetDevice = tostring(parse_json(AdditionalFields).['TARGET_OBJECT.DEVICE'])
| extend TargetGroupToAddRemove = tostring(parse_json(AdditionalFields).['TARGET_OBJECT.GROUP']) // Extracts the group name if action is add/remove group entity to/from a group.
| extend Target_Group_Sid_Directory = iff((isnotempty(GroupSidtoRemoveFrom)), GroupSidtoRemoveFrom, GroupSidtoAddTo)
| extend TargetAccount = case (
isnotempty(TargetUser), TargetUser,
isnotempty(TargetDevice), TargetDevice,
TargetGroupToAddRemove
)
| extend TargetType = case (
isnotempty(TargetUser), 'User',
isnotempty(TargetDevice), 'Device',
'Group'
)
| project Timestamp, ActionType, GroupMembershipAction, GroupModified, GroupModifiedSid, TargetType, DC=DestinationDeviceName, Actor, ActorDomain=AccountDomain, AdditionalFields
| order by Timestamp desc