Forum Discussion

apache_strike's avatar
apache_strike
Copper Contributor
Oct 24, 2023

Missing tables and data in advanced hunting

Hey everyone,

 

I have E5 licences for users and I use Microsoft for endpoints on workstations.

I would like to create custom detection rules with the advanced hunting menu but a lot of tables or missing or are empty in my schema.

 

For instance:

I got the IdentityInfo table filled, but the IdentityLogonEvents table empty.

I also don't have any tables related to the devices enrolled (DeviceInfo, DeviceLogonEvents, …).

 

Maybe I missed something but I couldn't find, any help would be appreciated.

 

Cheers,

 

PS: I use another antivirus solution than Microsoft Defender and I don't have any Azure subscription.

4 Replies

  • jamesderekb's avatar
    jamesderekb
    Copper Contributor
    Oct 24, 2023
    I have seen this before. Couple of things: Make sure you have RBAC permissions and also open case as I have seen schema field disappear for Defender 365 tenant and it took a case for Microsoft engineering to correct
    • m0vida's avatar
      m0vida
      Copper Contributor
      Aug 27, 2024

      jamesderekb where can I open a request to engineer ? Can you please provide the link ?

       

      I face the same issue.

       

      Thanks

    • apache_strike's avatar
      apache_strike
      Copper Contributor
      Oct 25, 2023
      Thanks James, I have the right RBAC permissions so I just openned a case with Microsoft about the issue, we will see
      • DE-Robin's avatar
        DE-Robin
        Copper Contributor
        Feb 24, 2024
        I have the same problem. I have 200 business premium licenses and the UI does not show other tables. Via Azure Sentinal I can get this tables....

Resources