Forum Discussion
On Advanced hunting, two schema related to AAD sign-in stopped returning results suddenly
When we implemented Defender for Endpoint (Defender ATP at that time), we got query results from the following two schema on Advanced hunting as expected. AADSignInEventsBeta AADSpnSignInEventsBet...
Rod_Trent
Microsoft
MicrosoftI'm curious. Do you see the results you are expecting in IdentityLogonEvents?
Thank you for your comment!
IdentityLogonEvents seems to be the matter of Defender for Cloud Apps.
Open "Defender for Cloud Apps" portal > "Investigate" > "Conncted apps" >
click "Edit settings" of "Office 365" on three dot menu on the right side >
enable "Azure AD Sign-in events" > click "Connect",
then you can search IdentityLogonEvents logs on MDE's Advanced hunting.
IdentityLogonEvents seems to be the matter of Defender for Cloud Apps.
Open "Defender for Cloud Apps" portal > "Investigate" > "Conncted apps" >
click "Edit settings" of "Office 365" on three dot menu on the right side >
enable "Azure AD Sign-in events" > click "Connect",
then you can search IdentityLogonEvents logs on MDE's Advanced hunting.