SOLVED

Device Timeline - Defender 365 - 'Print' events

Copper Contributor

Hello

 

I really see much value with the P2 feature of Timeline.  I have visibility into pretty much all functions on the desktop.  The one event I'm not seeing are Print events.  Basically, I'm looking to see when a document is printed, and the details of the document name and printer used to print the document.  Is there a toggle somewhere that needs to be turned on to enable these events.  

 

Thanks 

2 Replies
best response confirmed by kevind5 (Copper Contributor)
Solution
Though this thing can be managed by intune but You can use the PnP event to find the USB printer used in the organization:

//find the USB Printer VID/PID
DeviceEvents
| where ActionType == "PnpDeviceConnected"
| extend parsed=parse_json(AdditionalFields)
| extend DeviceDescription = tostring(parsed.DeviceDescription)
| extend PrinterDeviceId = tostring(parsed.DeviceId)
| extend VID_PID_Array = split(split(PrinterDeviceId, "\\")[1], "&")
| extend VID_PID = replace_string(strcat(VID_PID_Array[0], '/', VID_PID_Array[1]), 'VID_', '')
| extend VID_PID = replace_string(VID_PID, 'PID_', '')
| extend ClassId = tostring(parsed.ClassId)
| extend VendorIds = tostring(parsed.VendorIds)
| where DeviceDescription == 'USB Printing Support'
| project Timestamp , DeviceId, DeviceName, ActionType, DeviceDescription, VID_PID, ClassId, PrinterDeviceId, VendorIds, parsed
| order by Timestamp desc

Please mark helpful if you find my comment helpful
Accurate answer. Thank you sabbir . this one should marked as best answer
1 best response

Accepted Solutions
best response confirmed by kevind5 (Copper Contributor)
Solution
Though this thing can be managed by intune but You can use the PnP event to find the USB printer used in the organization:

//find the USB Printer VID/PID
DeviceEvents
| where ActionType == "PnpDeviceConnected"
| extend parsed=parse_json(AdditionalFields)
| extend DeviceDescription = tostring(parsed.DeviceDescription)
| extend PrinterDeviceId = tostring(parsed.DeviceId)
| extend VID_PID_Array = split(split(PrinterDeviceId, "\\")[1], "&")
| extend VID_PID = replace_string(strcat(VID_PID_Array[0], '/', VID_PID_Array[1]), 'VID_', '')
| extend VID_PID = replace_string(VID_PID, 'PID_', '')
| extend ClassId = tostring(parsed.ClassId)
| extend VendorIds = tostring(parsed.VendorIds)
| where DeviceDescription == 'USB Printing Support'
| project Timestamp , DeviceId, DeviceName, ActionType, DeviceDescription, VID_PID, ClassId, PrinterDeviceId, VendorIds, parsed
| order by Timestamp desc

Please mark helpful if you find my comment helpful

View solution in original post