Nov 25 2022 08:34 AM
Hello there,
we have Defender Identity Sensors running on our Domain Controllers. When I query login results by using Activity Log and Advanced Hunting, i get diffrent result. The device ist our ADFS server.
What am i missing here?
thank you
martin
Nov 27 2022 06:52 AM - edited Nov 27 2022 07:01 AM
@NinjaKittyCan you please let me know which 5 activity types are selected in the Activity log filter?
In addition, at what time did the first activity the Activity log occur? (Maybe there's a delay issue that I would like to check).
Feel free to so send me an email: t-lshapira@microsoft.com
Thanks,
Lior (Product manager in MDI team)
Nov 28 2022 03:09 AM - edited Nov 28 2022 03:19 AM
@LiorShapira Screenshots were taken last friday. I added 3 days since its monday now.
Interestingly, the advanced hunting results have changed. Now there are entries from november 25. which were not visible last friday. But the numbers still don't compare. 136 to 147
Could that be a delay in transfer to the advanced hunting database? Some entries are still missing
Dec 01 2022 12:37 AM
@NinjaKitty Please try to make a change in AH query (#5 row) - replace "LogonType" with
"ActionType", so the "LDAP" will be included too.
Dec 06 2022 04:41 AM
Dec 07 2022 12:36 AM
SolutionDec 07 2022 04:33 AM
Dec 07 2022 12:36 AM
Solution