Hello DATP team and users,
I wanted to reach out and describe some issues we are seeing and see if others have experienced similar problems and if there were any fixes or checks you would recommend.
With Defender ATP, on several deep-dive investigations we have noticed that the machine timelines are missing some pretty key entries, like files being created under normal user locations (Desktop, Downloads, Documents, etc). Example: a text file is created locally and saved to a user's desktop. The only entries that display in the machine timeline are the first time a file is opened and a lnk file is created for it. Forensic examination of the disk is the only method to determine the source file's MACB timestamps, which isn't very scalable. We have had this solution deployed since it was in public preview, and I don't remember this being an issue in the past.
With Defender ATP's integration with Azure ATP, the integration appears to be almost completely broken. Most machines display "Machine not found in Azure ATP" within Defender ATP, even though they are present when searching in AATP. When troubleshooting, disabling then enabling the integration after variable periods of time seems to fix the issue for about a day, then the issue reappears. We definitely didn't have this issue until the last 3 months or so.
Has anyone experienced similar problems and were you able to resolve them?
Thanks in advance for any assistance you can provide.
