SOLVED

Device Events table

Copper Contributor

Hello from Greece, i have a strange issue.

I cannot run any query in advanced hunting starting with deviceevents.

The device section is totally missing. Even if i type it it is marked red and i receive an error.

Is there any way i can update my schema?

I want the asr auditing events from my subscription.

Thank you!

Panos

5 Replies
Hi to Greece!

There is no possibility to update the schema. If the logs ingress, the schema will be automatically updated I assume. I am missing some information here to understand your current setup and maybe help you:
- Which licenses do you have?
- Are the devices onboarded in MDE?
- any other information on the configuration which can be helpful

Regards,
Adii

@adiii @Panos83 Did you find a solution? I run into the same problem. The devices schema is missing. In a demo tenant I just created, the schema is visible and useable.

 

Our users have Microsoft 365 Business Premium licenses
The user that executes the query has an Office 365 E3 license (also assigned an MS 365 Business Premium license but that has no effect.)


There are 225 devices onboarded in Defender which report installed software, threat detections etc.

 

The devices were onboarded from Intune (MDM Enrolled)

best response confirmed by Panos83 (Copper Contributor)
Solution
Hi There,

You need to have Defender for Endpoint P2 license to get the Device tables in Advanced Hunting section. Defender for Business does not have this feature. Nor does Defender for Endpoint P1.

When you have Business premium, Defender for endpoint gets put in Defender for Business mode by default. Even if you have Defender P2 assigned. This can be checked in the Settings - Endpoint - License section. If it says Defender for Business then you need to submit a ticket to MS to get this changed for Defender P2 mode.

If they come back to you saying for you to change it in the portal. You can't. Needs to be done in back end by MS engineer.

I think you are correct. A last question if you know it would be heloful.
ASR events (audit,blocked etc) can categorized as alerts or incidents or the only way to get any info about them is through the reports ?
Thank you
See if you can navigate to the link below after you have signed into the security.microsoft.com portal:

https://security.microsoft.com/asr
1 best response

Accepted Solutions
best response confirmed by Panos83 (Copper Contributor)
Solution
Hi There,

You need to have Defender for Endpoint P2 license to get the Device tables in Advanced Hunting section. Defender for Business does not have this feature. Nor does Defender for Endpoint P1.

When you have Business premium, Defender for endpoint gets put in Defender for Business mode by default. Even if you have Defender P2 assigned. This can be checked in the Settings - Endpoint - License section. If it says Defender for Business then you need to submit a ticket to MS to get this changed for Defender P2 mode.

If they come back to you saying for you to change it in the portal. You can't. Needs to be done in back end by MS engineer.

View solution in original post