Jul 29 2024 06:26 AM
Hi,
The SessionId information is not available in IdentityLogonEvents. The SessionID data can only be found in the XDR table AADSignInEventsBeta. According to the documentation of that table "All sign-in schema information will eventually move to the IdentityLogonEvents table".
I cannot find the SessionID in Sentinel anywhere else than in CloudAppEvents. Is this expected? How are we supposed to investigate stolen sessions without the sessionId information in Sentinel?