Subject Account from Event Logs Not Shown for Directory Services Changes

%3CLINGO-SUB%20id%3D%22lingo-sub-1390664%22%20slang%3D%22en-US%22%3ESubject%20Account%20from%20Event%20Logs%20Not%20Shown%20for%20Directory%20Services%20Changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1390664%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20is%20there%20a%20reason%20the%20subject%20is%20not%20shown%20in%20Azure%20ATP%20for%20certain%20changes%20like%20an%20administrative%20password%20reset%2C%20group%20renames%20or%20membership%20changes%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20example%20this%20is%20in%20our%20event%20log%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22rspletzer_1-1589492062779.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F191840iB1636B6FC53B074F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22rspletzer_1-1589492062779.png%22%20alt%3D%22rspletzer_1-1589492062779.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EAnd%20this%20is%20what%20we%20see%20in%20Azure%20ATP%20--%20even%20if%20you%20export%20the%20xslx%20log%20it%20doesn't%20show%20more%20than%20this%2C%20which%20doesn't%20include%20the%20subject%20from%20above%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22rspletzer_2-1589492184294.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F191844i7668991641AD2934%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22rspletzer_2-1589492184294.png%22%20alt%3D%22rspletzer_2-1589492184294.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1390717%22%20slang%3D%22en-US%22%3ERe%3A%20Subject%20Account%20from%20Event%20Logs%20Not%20Shown%20for%20Directory%20Services%20Changes%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1390717%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F668513%22%20target%3D%22_blank%22%3E%40rspletzer%3C%2FA%3E%26nbsp%3BCurrently%20we%20read%20those%20changes%20remotely%20from%20AD%2C%20by%20following%20usn%20changes%2C%20sadly%20AD%20itself%20does%20not%20keep%20or%20publishes%20the%20data%26nbsp%3B%20of%20who%20made%20the%20change%20to%20easily%20read%20it.%3C%2FP%3E%0A%3CP%3EYou%20are%20correct%20that%20it's%20technically%20possible%20to%20read%20the%20data%20from%20event%20logs%2C%20but%20those%20create%20other%20limitations%20and%20do%20not%20always%20work.%26nbsp%3B%3CBR%20%2F%3EAATP%20main%20focus%20is%20alerting%20on%20threats%20and%20not%20being%20a%20full%20AD%20auditing%20system...%3CBR%20%2F%3EBut%20you%20are%20welcome%20to%20submit%20the%20feedback%20on%20the%20missing%20data%20to%3C%2FP%3E%0A%3CP%3EAatpFeedback%40microsoft.com%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

Hi, is there a reason the subject is not shown in Azure ATP for certain changes like an administrative password reset, group renames or membership changes?

 

For example this is in our event log:

rspletzer_1-1589492062779.png

And this is what we see in Azure ATP -- even if you export the xslx log it doesn't show more than this, which doesn't include the subject from above:

rspletzer_2-1589492184294.png

 

1 Reply

@rspletzer Currently we read those changes remotely from AD, by following usn changes, sadly AD itself does not keep or publishes the data  of who made the change to easily read it.

You are correct that it's technically possible to read the data from event logs, but those create other limitations and do not always work. 
AATP main focus is alerting on threats and not being a full AD auditing system...
But you are welcome to submit the feedback on the missing data to

AatpFeedback@microsoft.com