Hi all,
There is a discrepancy between those events with certain ActionTypes that are viewable in the timeline view of a device, and those able to be searched in Advanced Hunting in KQL - this means no custom detections can be made, and threatening based on them is not possible.
This article lists 61 events that are missing in the DeviceEvent table: https://medium.com/falconforce/microsoft-defender-for-endpoint-internals-0x04-timeline-3f01282839e4
Please can this data be included?
Kind regards,
Felix
