Forum Discussion

Copper Contributor

Nov 23, 2023

Device Events table

Hello from Greece, i have a strange issue. I cannot run any query in advanced hunting starting with deviceevents. The device section is totally missing. Even if i type it it is marked red and i rec...

Microsoft Defender for Endpoint

AntR07
Dec 12, 2023
Hi There,

You need to have Defender for Endpoint P2 license to get the Device tables in Advanced Hunting section. Defender for Business does not have this feature. Nor does Defender for Endpoint P1.

When you have Business premium, Defender for endpoint gets put in Defender for Business mode by default. Even if you have Defender P2 assigned. This can be checked in the Settings - Endpoint - License section. If it says Defender for Business then you need to submit a ticket to MS to get this changed for Defender P2 mode.

If they come back to you saying for you to change it in the portal. You can't. Needs to be done in back end by MS engineer.

adiii

Brass Contributor

Nov 29, 2023

Hi to Greece!

There is no possibility to update the schema. If the logs ingress, the schema will be automatically updated I assume. I am missing some information here to understand your current setup and maybe help you:
- Which licenses do you have?
- Are the devices onboarded in MDE?
- any other information on the configuration which can be helpful

Regards,
Adii

Maxim_vanL
Copper Contributor
Dec 08, 2023
adiii Panos83 Did you find a solution? I run into the same problem. The devices schema is missing. In a demo tenant I just created, the schema is visible and useable.

Our users have Microsoft 365 Business Premium licenses
The user that executes the query has an Office 365 E3 license (also assigned an MS 365 Business Premium license but that has no effect.)

There are 225 devices onboarded in Defender which report installed software, threat detections etc.

The devices were onboarded from Intune (MDM Enrolled)