Oct 05 2022 01:54 AM - edited Oct 05 2022 02:00 AM
When we implemented Defender for Endpoint (Defender ATP at that time), we got query results from the following two schema on Advanced hunting as expected.
Executed queries are simple, such as "AADSignInEventsBeta | where Timestamp >= ago(7d)".
However, since a few months ago, the queries for these two schema suddenly stopped returning results and just displaying 'No results found in the specified time frame'.
The 'take' query like "AADSignInEventsBeta | take 100" also doesn't work. I seems these two schema have no log data now.
The same user with E5 Security license, with the same PC, using the same browser, executing the same Kusto query will not return any results for these two schema.
The other schema (e.g. DeviceEvents, EmailEvents, etc...) has no problem from the beginning till now.
Do you have any idea why this happens?
I already requested support for MSFT and get no solution for one month. (TBH, I feel the support is not on the right track...)
So I just try to get casual guesses here 🙂
Oct 05 2022 04:34 AM
Oct 05 2022 04:49 PM
Oct 24 2022 12:54 AM
Feb 13 2023 09:57 PM