Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Device Timeline - Defender 365 - 'Print' events

Copper Contributor

Hello

 

I really see much value with the P2 feature of Timeline.  I have visibility into pretty much all functions on the desktop.  The one event I'm not seeing are Print events.  Basically, I'm looking to see when a document is printed, and the details of the document name and printer used to print the document.  Is there a toggle somewhere that needs to be turned on to enable these events.  

 

Thanks 

2 Replies
Though this thing can be managed by intune but You can use the PnP event to find the USB printer used in the organization:

//find the USB Printer VID/PID
DeviceEvents
| where ActionType == "PnpDeviceConnected"
| extend parsed=parse_json(AdditionalFields)
| extend DeviceDescription = tostring(parsed.DeviceDescription)
| extend PrinterDeviceId = tostring(parsed.DeviceId)
| extend VID_PID_Array = split(split(PrinterDeviceId, "\\")[1], "&")
| extend VID_PID = replace_string(strcat(VID_PID_Array[0], '/', VID_PID_Array[1]), 'VID_', '')
| extend VID_PID = replace_string(VID_PID, 'PID_', '')
| extend ClassId = tostring(parsed.ClassId)
| extend VendorIds = tostring(parsed.VendorIds)
| where DeviceDescription == 'USB Printing Support'
| project Timestamp , DeviceId, DeviceName, ActionType, DeviceDescription, VID_PID, ClassId, PrinterDeviceId, VendorIds, parsed
| order by Timestamp desc

Please mark helpful if you find my comment helpful
Accurate answer. Thank you sabbir . this one should marked as best answer