Greetings, I have a customer that is running Defender for Identity and this alert keeps showing up in their Azure Sentinel instance.
I thought it might have been a problem with information being lost on the way from Defender for Identity->Cloud App Security-> Sentinel, but from the Defender for Identity portal it is just as inexpressive.
Is there a way to get more information sent with the alert?
Probably not much more, you can export the alert to excel and see some more details, but not sure they will give you the answer you are after. This alert my vary on how detailed it is depending on which protocol was used to do the remote execution, and how the environment is configured. some protocols are encrypted, so we can only tell the execution took place, but not much more.