Forum Discussion
Device Events table
Hello from Greece, i have a strange issue. I cannot run any query in advanced hunting starting with deviceevents. The device section is totally missing. Even if i type it it is marked red and i rec...
- Hi There,
You need to have Defender for Endpoint P2 license to get the Device tables in Advanced Hunting section. Defender for Business does not have this feature. Nor does Defender for Endpoint P1.
When you have Business premium, Defender for endpoint gets put in Defender for Business mode by default. Even if you have Defender P2 assigned. This can be checked in the Settings - Endpoint - License section. If it says Defender for Business then you need to submit a ticket to MS to get this changed for Defender P2 mode.
If they come back to you saying for you to change it in the portal. You can't. Needs to be done in back end by MS engineer.
Hi There,
You need to have Defender for Endpoint P2 license to get the Device tables in Advanced Hunting section. Defender for Business does not have this feature. Nor does Defender for Endpoint P1.
When you have Business premium, Defender for endpoint gets put in Defender for Business mode by default. Even if you have Defender P2 assigned. This can be checked in the Settings - Endpoint - License section. If it says Defender for Business then you need to submit a ticket to MS to get this changed for Defender P2 mode.
If they come back to you saying for you to change it in the portal. You can't. Needs to be done in back end by MS engineer.
You need to have Defender for Endpoint P2 license to get the Device tables in Advanced Hunting section. Defender for Business does not have this feature. Nor does Defender for Endpoint P1.
When you have Business premium, Defender for endpoint gets put in Defender for Business mode by default. Even if you have Defender P2 assigned. This can be checked in the Settings - Endpoint - License section. If it says Defender for Business then you need to submit a ticket to MS to get this changed for Defender P2 mode.
If they come back to you saying for you to change it in the portal. You can't. Needs to be done in back end by MS engineer.
- I think you are correct. A last question if you know it would be heloful.
ASR events (audit,blocked etc) can categorized as alerts or incidents or the only way to get any info about them is through the reports ?
Thank you- See if you can navigate to the link below after you have signed into the security.microsoft.com portal:
https://security.microsoft.com/asr