On Advanced hunting, two schema related to AAD sign-in stopped returning results suddenly

Copper Contributor

When we implemented Defender for Endpoint (Defender ATP at that time), we got query results from the following two schema on Advanced hunting as expected.

  • AADSignInEventsBeta
  • AADSpnSignInEventsBeta

Executed queries are simple, such as "AADSignInEventsBeta | where Timestamp >= ago(7d)".

 

However, since a few months ago, the queries for these two schema suddenly stopped returning results and just displaying 'No results found in the specified time frame'.

The 'take' query like "AADSignInEventsBeta | take 100" also doesn't work. I seems these two schema have no log data now.

 

The same user with E5 Security license, with the same PC, using the same browser, executing the same Kusto query will not return any results for these two schema.

The other schema (e.g. DeviceEvents, EmailEvents, etc...) has no problem from the beginning till now.

 

Do you have any idea why this happens?

I already requested support for MSFT and get no solution for one month. (TBH, I feel the support is not on the right track...)

 

So I just try to get casual guesses here 🙂 

 

4 Replies
I'm curious. Do you see the results you are expecting in IdentityLogonEvents?
Thank you for your comment!
IdentityLogonEvents seems to be the matter of Defender for Cloud Apps.

Open "Defender for Cloud Apps" portal > "Investigate" > "Conncted apps" >
click "Edit settings" of "Office 365" on three dot menu on the right side >
enable "Azure AD Sign-in events" > click "Connect",
then you can search IdentityLogonEvents logs on MDE's Advanced hunting.
MSFT support says they already started migrating these beta schema to "IdentityLogonEvents".
So it's natural we cannot retrieve logs.
BTW, it took two months until I got this answer...
I've come back to add a comment to myself.
The problem is solved. I found AADSignInEventsBeta returns logs again on our tenant.

In last Oct, MSFT Japan support told us that this schema is already migrated to IdentityLogonEvents on our tenant. But their reply turned out to be false.
I have no idea about what happened to our tenant for these four months...