Forum Discussion
Inconsistent Last Log Received Data
Can anyone help me understand why the Microsoft Defender for Endpoint connector does not have a value in the Last Log Received field, but the Microsoft 365 Defender (Preview) does show Endpoint events from a few minutes ago
- The preview is the new unified connector. In my experience, turning it on disables endpoint events from the old connector. I'd stick with the preview. The old connector will only do alerts and incidents (and maybe action center items) while with the new connector you can send events from advanced hunting. I have an environment still on the old connector, going to switch over to see if there is any impact on the old connector.
Done some digging. If you have just MDE enabled in the new unified connector, one should take over the other, but the last log received should be populated on both. The old connector is essentially doing this to get the last log time:
SecurityAlert | where ProviderName == "MDATP" | summarize arg_max(TimeGenerated, *) | project LastLogTime = TimeGeneratedIt also appears to run the query over a 7 day period. I imagine the preview connector looks something more like this:
SecurityAlert | where ProviderName in ("MDATP", "MDI", "MDO", "MCAS") | summarize arg_max(TimeGenerated, *) by ProviderName | project ProviderName, TimeGeneratedThis is over simplified in order to compare to the original connector, but the point is the preview connector can send advanced hunting data. The original cannot. If you run the first query, does it return any results? If it doesn't it is because the two connectors are sending different data, you just haven't received any Defender for Endpoint alerts in 7 days, while you have received advanced hunting data or other Defender product alerts.
- I have values in both of mine (MDE even has it when the preview isn't enabled)
