Forum Discussion

HeyNiko's avatar
HeyNiko
Copper Contributor
Nov 20, 2025

Defender Entity Page w/ Sentinel Events Tab

One device is displaying the Sentinel Events Tab, while the other is not. The only difference observed is that one device is Azure AD (AAD) joined and the other is Domain Joined.  Could this difference account for the missing Sentinel events data?

Any insight would be appreciated! 

 

 

alerts
data collection
integration
investigation
microsoft defender for endpoint
microsoft defender for identity
microsoft defender for office 365
monitoring
threat intelligence
ueba

2 Replies

  • danghoang95's avatar
    danghoang95
    Copper Contributor
    Dec 18, 2025

    HeyNiko​ 

    The Sentinel events tab in the Defender for Endpoint (MDE) device page only appears when: That specific device has events ingested into Microsoft Sentinel that can be correlated back to the device entity.

     

    Can you check if the Domain join PC have enable the telemetry, and also check for network connectivity:

     

    1. Enable telemetry:

    GPO: To enable Microsoft Defender telemetry via Group Policy, navigate to Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds, then set the "Allow diagnostic data" (or "Allow telemetry") policy to a higher level like "Required" or "Full"

    Intune: https://www.anoopcnair.com/allow-telemetry-or-diagnostic-data-intune/

     

    2. Verify on your company firewall if these URLs open or not: 

    *.securitycenter.microsoft.com

    *.wd.microsoft.com

    *.wdcp.microsoft.com

    *.events.data.microsoft.com

    *.telemetry.microsoft.com

     

    And also turn off SSL inspection for these URLs (this is important but many people forget).

  • HeyNiko's avatar
    HeyNiko
    Copper Contributor
    Nov 21, 2025

    Ran the following KQL w/n Defender and Azure: 

    let Now = now(); (range TimeGenerated from ago(14d) to Now-1d step 1d | extend Count = 0 | union isfuzzy=true ( DeviceEvents | summarize Count = count() by bin_at(TimeGenerated, 1d, Now) ) | summarize Count=max(Count) by bin_at(TimeGenerated, 1d, Now) | sort by TimeGenerated | project Value = iff(isnull(Count), 0, Count), Time = TimeGenerated, Legend = "Events") | render timechart

     

    The data is flowing into the Microsoft Defender XDR portal's Advanced Hunting environment, but the same data (DeviceEvents table) is not appearing in the Azure Sentinel Log Analytics workspace. This indicates a problem with the data connector configuration between Defender XDR and Sentinel, or a network/connectivity issue specific to how the Intune-managed devices are sending their raw events to the Log Analytics workspace.

     

    Troubleshooting Steps
    Verify the Microsoft Defender XDR Data Connector Configuration:
     
    1. Navigate to the Microsoft Sentinel data connectors page in the Azure portal or the Defender portal.
    2. Find and open the Microsoft Defender XDR connector page.
    3. Scroll to the Configuration section and ensure that the Connect events option is enabled.
    4. Specifically, verify that the DeviceEvents table is selected for ingestion into your Log Analytics workspace.
     
    Check Network Connectivity on Intune Devices:
     
    1. Confirm that Intune-managed devices have outbound access to the required endpoints for both the Defender for Endpoint service and the Azure Log Analytics workspace.
    2. Run the Microsoft Defender for Endpoint Client Analyzer on an affected Intune device to identify any connectivity issues.

     

Resources