Forum Discussion

NM_MS's avatar
NM_MS
Copper Contributor
Jun 24, 2024

Filter on Timestamp not working with DeviceFileEvents/DeviceNetworkEvents

Hi   I'm tryng to filter events in DeviceFileEvents from last week in a KQL query. But I'm experiencing strange behaviour. When I add the time range condition, it doesn't return any value.  Am I ...
microsoft defender for endpoint
threat hunting
cyb3rmik3's avatar
cyb3rmik3
Icon for Microsoft rankMicrosoft
Jul 06, 2024

NM_MS hi!

 

Indeed this is strange. Have you recently unified Sentinel and XDR? Just asking as I can see the Timegenerated column is available. The only time I had this "glitch in the Matrix", was for a few days after I completed bringing XDR and Sentinel together. Have you tried to run the query using Timegenerated instead of Timestamp?

  • NM_MS's avatar
    NM_MS
    Copper Contributor
    Jul 08, 2024

    cyb3rmik3 Hi

     

    I tried using Timegenerated us you mention and the results were the same.

    The issue is likely related to the fact that, in connector "Microsoft Defender XDR" in Sentinel, we aren´t connecting logs from DeviceNetworkEvents and DeviceFileEvents.