cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Diffrent results in Defender Activity Log and Advanced Hunting

NinjaKitty
Brass Contributor

‎Nov 25 2022 08:34 AM

‎Nov 25 2022 08:34 AM

Diffrent results in Defender Activity Log and Advanced Hunting

Hello there,
we have Defender Identity Sensors running on our Domain Controllers. When I query login results by using Activity Log and Advanced Hunting, i get diffrent result. The device ist our ADFS server.

 

What am i missing here?

 

NinjaKitty_0-1669393808095.png

NinjaKitty_1-1669393833198.png

 

thank you

martin

1,352 Views
0 Likes
6 Replies
Reply
6 Replies
LiorShapira

‎Nov 27 2022 06:52 AM - edited ‎Nov 27 2022 07:01 AM

‎Nov 27 2022 06:52 AM - edited ‎Nov 27 2022 07:01 AM

Re: Diffrent results in Defender Activity Log and Advanced Hunting

@NinjaKittyCan you please let me know which 5 activity types are selected in the Activity log filter?
In addition, at what time did the first activity the Activity log occur? (Maybe there's a delay issue that I would like to check).
Feel free to so send me an email: t-lshapira@microsoft.com
Thanks,
Lior (Product manager in MDI team)

0 Likes
Reply
NinjaKitty

‎Nov 28 2022 03:09 AM - edited ‎Nov 28 2022 03:19 AM

‎Nov 28 2022 03:09 AM - edited ‎Nov 28 2022 03:19 AM

Re: Diffrent results in Defender Activity Log and Advanced Hunting

@LiorShapira Screenshots were taken last friday. I added 3 days since its monday now.

NinjaKitty_0-1669629980551.png

 

Interestingly, the advanced hunting results have changed. Now there are entries from november 25. which were not visible last friday.  But the numbers still don't compare. 136 to 147

NinjaKitty_0-1669634306813.png

 

Could that be a delay in transfer to the advanced hunting database? Some entries are still missing

NinjaKitty_2-1669633725924.pngNinjaKitty_3-1669633735350.png

 

0 Likes
Reply
LiorShapira

‎Dec 01 2022 12:37 AM

‎Dec 01 2022 12:37 AM

Re: Diffrent results in Defender Activity Log and Advanced Hunting

@NinjaKitty Please try to make a change in AH query (#5 row) - replace "LogonType" with 
"ActionType", so the "LDAP" will be included too.

 

0 Likes
Reply
NinjaKitty

‎Dec 06 2022 04:41 AM

‎Dec 06 2022 04:41 AM

Re: Diffrent results in Defender Activity Log and Advanced Hunting

Changing the query does not make any diffrence. But if I run my querys now, the result match. Could there be delay in the data transfer? Do Advanced Hunting and Activity Log use diffrent databases?
0 Likes
Reply
best response confirmed by NinjaKitty (Brass Contributor)
LiorShapira

‎Dec 07 2022 12:36 AM

‎Dec 07 2022 12:36 AM

Solution

Re: Diffrent results in Defender Activity Log and Advanced Hunting

Our team is aware of a delay in sending alerts and activities to the M365D portal. It's supposed to be resolved as soon as possible. If you continue to have issues in the next week, please contact me (t-lshapira@microsoft.com).
0 Likes
Reply
NinjaKitty

‎Dec 07 2022 04:33 AM

‎Dec 07 2022 04:33 AM

Re: Diffrent results in Defender Activity Log and Advanced Hunting

Thank you Lior
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by NinjaKitty (Brass Contributor)
LiorShapira

‎Dec 07 2022 12:36 AM

‎Dec 07 2022 12:36 AM

Solution

Re: Diffrent results in Defender Activity Log and Advanced Hunting

Our team is aware of a delay in sending alerts and activities to the M365D portal. It's supposed to be resolved as soon as possible. If you continue to have issues in the next week, please contact me (t-lshapira@microsoft.com).

View solution in original post

0 Likes
Reply