Forum Discussion
Defender Entity Page w/ Sentinel Events Tab
One device is displaying the Sentinel Events Tab, while the other is not. The only difference observed is that one device is Azure AD (AAD) joined and the other is Domain Joined. Could this differen...
Ran the following KQL w/n Defender and Azure:
let Now = now(); (range TimeGenerated from ago(14d) to Now-1d step 1d | extend Count = 0 | union isfuzzy=true ( DeviceEvents | summarize Count = count() by bin_at(TimeGenerated, 1d, Now) ) | summarize Count=max(Count) by bin_at(TimeGenerated, 1d, Now) | sort by TimeGenerated | project Value = iff(isnull(Count), 0, Count), Time = TimeGenerated, Legend = "Events") | render timechart
The data is flowing into the Microsoft Defender XDR portal's Advanced Hunting environment, but the same data (DeviceEvents table) is not appearing in the Azure Sentinel Log Analytics workspace. This indicates a problem with the data connector configuration between Defender XDR and Sentinel, or a network/connectivity issue specific to how the Intune-managed devices are sending their raw events to the Log Analytics workspace.
Troubleshooting Steps
Verify the Microsoft Defender XDR Data Connector Configuration:
1. Navigate to the Microsoft Sentinel data connectors page in the Azure portal or the Defender portal.
2. Find and open the Microsoft Defender XDR connector page.
3. Scroll to the Configuration section and ensure that the Connect events option is enabled.
4. Specifically, verify that the DeviceEvents table is selected for ingestion into your Log Analytics workspace.
Check Network Connectivity on Intune Devices:
1. Confirm that Intune-managed devices have outbound access to the required endpoints for both the Defender for Endpoint service and the Azure Log Analytics workspace.
2. Run the Microsoft Defender for Endpoint Client Analyzer on an affected Intune device to identify any connectivity issues.