cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

On Advanced hunting, two schema related to AAD sign-in stopped returning results suddenly

nullpenguin
Copper Contributor

‎Oct 05 2022 01:54 AM - edited ‎Oct 05 2022 02:00 AM

‎Oct 05 2022 01:54 AM - edited ‎Oct 05 2022 02:00 AM

On Advanced hunting, two schema related to AAD sign-in stopped returning results suddenly

When we implemented Defender for Endpoint (Defender ATP at that time), we got query results from the following two schema on Advanced hunting as expected.

  • AADSignInEventsBeta
  • AADSpnSignInEventsBeta

Executed queries are simple, such as "AADSignInEventsBeta | where Timestamp >= ago(7d)".

 

However, since a few months ago, the queries for these two schema suddenly stopped returning results and just displaying 'No results found in the specified time frame'.

The 'take' query like "AADSignInEventsBeta | take 100" also doesn't work. I seems these two schema have no log data now.

 

The same user with E5 Security license, with the same PC, using the same browser, executing the same Kusto query will not return any results for these two schema.

The other schema (e.g. DeviceEvents, EmailEvents, etc...) has no problem from the beginning till now.

 

Do you have any idea why this happens?

I already requested support for MSFT and get no solution for one month. (TBH, I feel the support is not on the right track...)

 

So I just try to get casual guesses here :) 

 

1,470 Views
1 Like
4 Replies
Reply
4 Replies
Rod_Trent

‎Oct 05 2022 04:34 AM

‎Oct 05 2022 04:34 AM

Re: On Advanced hunting, two schema related to AAD sign-in stopped returning results suddenly

I'm curious. Do you see the results you are expecting in IdentityLogonEvents?
0 Likes
Reply
nullpenguin

‎Oct 05 2022 04:49 PM

‎Oct 05 2022 04:49 PM

Re: On Advanced hunting, two schema related to AAD sign-in stopped returning results suddenly

Thank you for your comment!
IdentityLogonEvents seems to be the matter of Defender for Cloud Apps.

Open "Defender for Cloud Apps" portal > "Investigate" > "Conncted apps" >
click "Edit settings" of "Office 365" on three dot menu on the right side >
enable "Azure AD Sign-in events" > click "Connect",
then you can search IdentityLogonEvents logs on MDE's Advanced hunting.
0 Likes
Reply
nullpenguin

‎Oct 24 2022 12:54 AM

‎Oct 24 2022 12:54 AM

Re: On Advanced hunting, two schema related to AAD sign-in stopped returning results suddenly

MSFT support says they already started migrating these beta schema to "IdentityLogonEvents".
So it's natural we cannot retrieve logs.
BTW, it took two months until I got this answer...
1 Like
Reply
nullpenguin

‎Feb 13 2023 09:57 PM

‎Feb 13 2023 09:57 PM

Re: On Advanced hunting, two schema related to AAD sign-in stopped returning results suddenly

I've come back to add a comment to myself.
The problem is solved. I found AADSignInEventsBeta returns logs again on our tenant.

In last Oct, MSFT Japan support told us that this schema is already migrated to IdentityLogonEvents on our tenant. But their reply turned out to be false.
I have no idea about what happened to our tenant for these four months...
0 Likes
Reply