Forum Discussion

NM_MS's avatar
NM_MS
Copper Contributor
Jun 24, 2024

Filter on Timestamp not working with DeviceFileEvents/DeviceNetworkEvents

Hi

 

I'm tryng to filter events in DeviceFileEvents from last week in a KQL query. But I'm experiencing strange behaviour.

When I add the time range condition, it doesn't return any value. 

Am I doing something wrong? 

Do you have any ideia what the problem migth be?

 

 

Thanks in advance

NM

 

microsoft defender for endpoint
threat hunting
  • cyb3rmik3's avatar
    cyb3rmik3
    Iron Contributor
    Jul 07, 2024

    NM_MS hi!

     

    Indeed this is strange. Have you recently unified Sentinel and XDR? Just asking as I can see the Timegenerated column is available. The only time I had this "glitch in the Matrix", was for a few days after I completed bringing XDR and Sentinel together. Have you tried to run the query using Timegenerated instead of Timestamp?

    • NM_MS's avatar
      NM_MS
      Copper Contributor
      Jul 08, 2024

      cyb3rmik3 Hi

       

      I tried using Timegenerated us you mention and the results were the same.

      The issue is likely related to the fact that, in connector "Microsoft Defender XDR" in Sentinel, we aren´t connecting logs from DeviceNetworkEvents and DeviceFileEvents.

       

       

       

       

Resources