Forum Discussion

Brass Contributor

Nov 25, 2022

Solved

Diffrent results in Defender Activity Log and Advanced Hunting

Hello there, we have Defender Identity Sensors running on our Domain Controllers. When I query login results by using Activity Log and Advanced Hunting, i get diffrent result. The device ist our ADF...

LiorShapira
Dec 07, 2022
Our team is aware of a delay in sending alerts and activities to the M365D portal. It's supposed to be resolved as soon as possible. If you continue to have issues in the next week, please contact me (t-lshapira@microsoft.com).

NinjaKitty

Brass Contributor

Nov 28, 2022

LiorShapira Screenshots were taken last friday. I added 3 days since its monday now.

Interestingly, the advanced hunting results have changed. Now there are entries from november 25. which were not visible last friday. But the numbers still don't compare. 136 to 147

Could that be a delay in transfer to the advanced hunting database? Some entries are still missing

LiorShapira

Microsoft

Dec 01, 2022

NinjaKitty Please try to make a change in AH query (#5 row) - replace "LogonType" with
"ActionType", so the "LDAP" will be included too.

NinjaKitty
Brass Contributor
Dec 06, 2022
Changing the query does not make any diffrence. But if I run my querys now, the result match. Could there be delay in the data transfer? Do Advanced Hunting and Activity Log use diffrent databases?
- LiorShapira
  Microsoft
  Dec 07, 2022
  Our team is aware of a delay in sending alerts and activities to the M365D portal. It's supposed to be resolved as soon as possible. If you continue to have issues in the next week, please contact me (t-lshapira@microsoft.com).
  - NinjaKitty
    Brass Contributor
    Dec 07, 2022
    Thank you Lior