cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Old ATP portal - activities overview

Kim Kristensen
Brass Contributor

‎Feb 20 2023 12:23 AM - edited ‎Feb 20 2023 12:24 AM

‎Feb 20 2023 12:23 AM - edited ‎Feb 20 2023 12:24 AM

Old ATP portal - activities overview

Hi,

I often use the "Activities" overview in the old ATP portal (When I lookup a user) - it gives a quick overview of what a uses actions. But successful and failed - can often be helpful when troubleshooting.

 

But since the ATP portal is being redirected to the security portal - where do I find similar information in the security portal?

There is a timeline under the user page - but that info seems to come from cloud app security and doesn't contain the same information.

1,594 Views
1 Like
9 Replies
Reply
9 Replies
LiorShapira

‎Feb 21 2023 01:08 AM

‎Feb 21 2023 01:08 AM

Re: Old ATP portal - activities overview

The new Identity timeline as part of the User page in M365D portal represents activities from MDI/MDE/MDA. The same activities that you're seeing in the legacy portal should be available in the new user timeline too.
In the next coming weeks, an "Activity type" filter will be available, and I assume it will help you to look specifically for failed and successful log on events related to a user.
For any other feedback or question regarding the timeline, please contact me directly and I'll be happy to assist: t-lshapira@microsoft.com
0 Likes
Reply
Jens_Mander

‎Feb 28 2023 07:10 AM

‎Feb 28 2023 07:10 AM

Re: Old ATP portal - activities overview

Hi @ll,
I am also missing the timeline for AD-groups. In the past (in the old portal) I often took a look at timelines of groups to see for example who added users to this group. Is this information still available anywhere? advanced hunting?
Cheers, Jens...
0 Likes
Reply
LiorShapira

‎Feb 28 2023 08:26 AM - edited ‎Feb 28 2023 08:27 AM

‎Feb 28 2023 08:26 AM - edited ‎Feb 28 2023 08:27 AM

Re: Old ATP portal - activities overview

Hi Jens,
Yes, you can use Advanced Hunting to see those changes and look for a specific group.
For example:
IdentityDirectoryEvents
| where ActionType =="Group Membership changed"
| extend RemoveFromGroupName=AdditionalFields['FROM.GROUP']
| extend AddToGroupName=AdditionalFields['TO.GROUP']
| where RemoveFromGroupName =="Users" or AddToGroupName =="Users"

In addition, we are working on adding this information to the User timeline (for both users involved in this activity).

0 Likes
Reply
Jens_Mander

‎Feb 28 2023 08:36 AM

‎Feb 28 2023 08:36 AM

Re: Old ATP portal - activities overview

Thx alot, will try it soon. Cheers, Jens...
0 Likes
Reply
AzureGuineaPig

‎Feb 28 2023 01:19 PM

‎Feb 28 2023 01:19 PM

Re: Old ATP portal - activities overview

The best thing MS can do is bring back the activities timeline view, with all the "security alerts" and "activities by type" categories in a single pain of glass.
1 Like
Reply
Jens_Mander

‎Mar 01 2023 01:28 AM - edited ‎Mar 01 2023 01:30 AM

‎Mar 01 2023 01:28 AM - edited ‎Mar 01 2023 01:30 AM

Re: Old ATP portal - activities overview

@LiorShapira 

this query shows "only" who has been added or removed to/from a group. A bit like described in this article: Track changes to sensitive groups with Advanced Hunting in Microsoft 365 Defender - Microsoft Commun...


But in the old portal, regarding the timeline of an on-premises Active Directory Group, I also could see who has added/removed the user, even when the group wasn't marked as sensitive.

 

Here a screenshot from "older days".

2023-03-01_101825.png

Cheers, Jens...

2 Likes
Reply
LiorShapira

‎Mar 01 2023 08:31 AM

‎Mar 01 2023 08:31 AM

Re: Old ATP portal - activities overview

As I mentioned above, we are working on adding the same information to the new User timeline, and also adding the ability to filter and look for a specific activity such as "group membership changed" (for both sensitive/non-sensitive groups, in Advanced hunting is already for both).
2 Likes
Reply
AraDill

‎Mar 22 2023 01:29 PM

‎Mar 22 2023 01:29 PM

Re: Old ATP portal - activities overview

@LiorShapira So MSFT forced everyone to use the "new" portal before they had full functionality?  Great user experience...

 

0 Likes
Reply
LiorShapira

‎Mar 23 2023 12:38 AM

‎Mar 23 2023 12:38 AM

Re: Old ATP portal - activities overview

@AraDill The defender for identity experience is converged into the Microsoft 365 Defender portal, with that, we feel that the information contained in the classic portal experience can now be presented in a more unified manner, aligned with the additional defender workload, such as unified alert and incident queue, advanced hunting and Secure Score recommendations.
Please take a few minutes to share with us which functionality you feel is missing: https://aka.ms/MdiRedirectionSurvey

1 Like
Reply