SOLVED

Pulling activities from Azure ATP

%3CLINGO-SUB%20id%3D%22lingo-sub-678434%22%20slang%3D%22en-US%22%3EPulling%20activities%20from%20Azure%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-678434%22%20slang%3D%22en-US%22%3E%3CP%3EJust%20wondering%20if%20there%20is%20a%20way%20to%20pull%20activities%20from%20Azure%20ATP%3F%26nbsp%3B%20I%20would%20like%20to%26nbsp%3B%20export%20of%20all%20activities%20of%20a%20certain%20type%20(for%20example%20user%20account%20changes)%20on%20a%20daily%20basis.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20doesn't%20seem%20to%20be%20any%20way%20to%20access%20the%20data%20that%20AATP%20collects%20to%20use%20for%20other%20purposes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-678950%22%20slang%3D%22en-US%22%3ERe%3A%20Pulling%20activities%20from%20Azure%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-678950%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F42926%22%20target%3D%22_blank%22%3E%40Robert%20Young%3C%2FA%3E%26nbsp%3B%2C%20You%20can%20go%20to%20the%20profile%20page%20of%20the%20entity%20and%20press%20%22download%20activities%22.%3C%2FP%3E%0A%3CP%3EThere%20is%20not%20scheduling%20option%20for%20this%20though...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-683317%22%20slang%3D%22en-US%22%3ERe%3A%20Pulling%20activities%20from%20Azure%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-683317%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F42926%22%20target%3D%22_blank%22%3E%40Robert%20Young%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20want%20to%20see%20all%20activities%20for%20a%20specific%20user%2C%20as%20Eli%20mentioned%20you%20can%20do%20this%20from%20the%20entity%20profile%20page.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-activities-search%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure-advanced-threat-protection%2Fatp-activities-search%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20want%20to%20search%20for%20activities%20across%20entities%2C%20this%20is%20something%20that%20you%20will%20need%20to%20wait%20for%20the%20Unified%20Secops%20Portal%20which%20was%20announced%20at%20RSA.%26nbsp%3B%3C%2FP%3E%3CP%3EUnified%20SecOps%3A%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Funifiedportal%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Funifiedportal%3C%2FA%3E%3C%2FP%3E%3CP%3EThe%20Unified%20Secops%20portal%20is%20currently%20in%20Limited%20Public%20Preview.%26nbsp%3B%3C%2FP%3E%3CP%3EBest%2C%3C%2FP%3E%3CP%3EGershon%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-684923%22%20slang%3D%22en-US%22%3ERe%3A%20Pulling%20activities%20from%20Azure%20ATP%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-684923%22%20slang%3D%22en-US%22%3EThanks%2C%20I%20was%20looking%20to%20pull%20from%20all%20entities...will%20check%20out%20the%20Pub%20review.%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Just wondering if there is a way to pull activities from Azure ATP?  I would like to  export of all activities of a certain type (for example user account changes) on a daily basis.

 

There doesn't seem to be any way to access the data that AATP collects to use for other purposes.

 

3 Replies
Highlighted

@Robert Young , You can go to the profile page of the entity and press "download activities".

There is not scheduling option for this though...

 

Highlighted
Best Response confirmed by Robert Young (Occasional Contributor)
Solution

@Robert Young 

 

If you want to see all activities for a specific user, as Eli mentioned you can do this from the entity profile page. https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-activities-search

 

If you want to search for activities across entities, this is something that you will need to wait for the Unified Secops Portal which was announced at RSA. 

Unified SecOps: https://aka.ms/unifiedportal

The Unified Secops portal is currently in Limited Public Preview. 

Best,

Gershon

Highlighted
Thanks, I was looking to pull from all entities...will check out the Pub review.