SessionID in IdentityLogonEvents?

Copper Contributor

Hi,

The SessionId information is not available in IdentityLogonEvents. The SessionID data can only be found in the XDR table AADSignInEventsBeta. According to the documentation of that table "All sign-in schema information will eventually move to the IdentityLogonEvents table".

I cannot find the SessionID in Sentinel anywhere else than in CloudAppEvents. Is this expected? How are we supposed to investigate stolen sessions without the sessionId information in Sentinel?

 

0 Replies