Native windows 10 defender events to Azure sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-2407524%22%20slang%3D%22en-US%22%3ENative%20windows%2010%20defender%20events%20to%20Azure%20sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2407524%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20in%20advance.%3C%2FP%3E%3CP%3EI%20can't%20see%20the%20Windows%20Defender%20logs%20(the%20system%20one)%20in%20Azure%20Sentinel%3CBR%20%2F%3EIn%20the%20agent%20configuration%20I%20have%20added%20the%20branch%3A%20Microsoft-Windows-Windows%20Defender%20%2F%20Operational%3CBR%20%2F%3EAs%20I%20do%20with%20Sysmon%2C%20but%20I%20don't%20see%20the%20events%2C%20for%20example%20when%20I%20disable%20online%20protection.%3C%2FP%3E%3CP%3ECan%20you%20think%20of%20what%20could%20be%20happening%3F%3C%2FP%3E%3CP%3EThanks%20!!!%3C%2FP%3E%3CP%3EPS%3A%20is%20there%20any%20query%20where%20I%20can%20verify%20the%20%22schema%22%20that%20I%20have%20configured%20in%20the%20Windows%20agents%2C%20apart%20from%20seeing%20it%20graphically%3F%3C%2FP%3E%3CP%3EAll%20the%20best%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Thanks in advance.

I can't see the Windows Defender logs (the system one) in Azure Sentinel
In the agent configuration I have added the branch: Microsoft-Windows-Windows Defender / Operational
As I do with Sysmon, but I don't see the events, for example when I disable online protection.

Can you think of what could be happening?

Thanks !!!

PS: is there any query where I can verify the "schema" that I have configured in the Windows agents, apart from seeing it graphically?

All the best

0 Replies