Microsoft
Microsoft
MicrosoftSergg, apologies for the slow response. I had to check this with more technical folks in the team. Before anything else, please note that advanced hunting wasn’t really designed for configuration management. However, these queries might help so I'm sharing them.
I would run these queries to check whether devices, Office 365 email, Cloud App Security, Azure ATP, and MCAS are returning data:
// Get count of events from all devices
DeviceEvents
| count
// Get count of Office 365 email events
EmailEvents
| count
// Get count of events from Azure ATP (where Application == "Active Directory") as well as Microsoft online services monitored by MCAS
IdentityLogonEvents
| summarize count() by Application
If you want to get the list of devices that have sent events to Microsoft Defender ATP, you can use this:
// Get list of devices returning events
DeviceEvents
| summarize count() by DeviceName
If you want to ensure that you are getting security alerts from Microsoft Defender ATP, Office 365 ATP, Azure ATP, and Cloud App Security, use this query. Note that some of these services might not be firing alerts.
// Get count of security alerts by service
AlertInfo
| summarize count() by ServiceSource