Forum Discussion

RayO's avatar
RayO
Copper Contributor
Jun 05, 2025

Lack of alerts in Sentinel

Hello, I am troubleshooting a lack of alerts and incidents in my Sentinel deployment. When I look at the Micrsoft Defender XDR connector, I see plenty of events like DeviceEvents, DeviceInfo, Ident...
alerts
Pouya's avatar
Pouya
MCT
Jun 12, 2025

Hi RayO​,

Can you see the records and events on the tables?

RayO's avatar
RayO
Copper Contributor
Jun 12, 2025

Hello Koushandehfar,

Thanks for your reply.  If I run a simple query like so:

AlertEvidence

| top 50 by TimeGenerated desc

I get no results for those tables.

I do have another environment setup where I am receiving data in those tables. The only difference in the setup is that I have 'Enable EDR in block mode' setup in that environment, which looks like its providing most of that data. It does seem like there should be additional data being received though.

  • Pouya's avatar
    Pouya
    MCT
    Jun 17, 2025

    The AlertEvidence table contains information about various entities—files, IP addresses, URLs, users, or devices—associated with alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity.
    While you said you can see on the connectors those events/numbers, that could be not necessary implementated completely to grab those information into the table... Is that same for other tables you said? if yes and you sure have some incidents/alerts on your devices or identities, I would recommend reconfiguring the connector again to see if that fix the issue. 

Resources