Oct 03 2022 10:45 AM
Can anyone help me understand why the Microsoft Defender for Endpoint connector does not have a value in the Last Log Received field, but the Microsoft 365 Defender (Preview) does show Endpoint events from a few minutes ago
Oct 03 2022 12:59 PM
Oct 04 2022 06:03 AM
Oct 04 2022 07:57 AM
Done some digging. If you have just MDE enabled in the new unified connector, one should take over the other, but the last log received should be populated on both. The old connector is essentially doing this to get the last log time:
SecurityAlert
| where ProviderName == "MDATP"
| summarize arg_max(TimeGenerated, *)
| project LastLogTime = TimeGenerated
It also appears to run the query over a 7 day period. I imagine the preview connector looks something more like this:
SecurityAlert
| where ProviderName in ("MDATP", "MDI", "MDO", "MCAS")
| summarize arg_max(TimeGenerated, *) by ProviderName
| project ProviderName, TimeGenerated
This is over simplified in order to compare to the original connector, but the point is the preview connector can send advanced hunting data. The original cannot. If you run the first query, does it return any results? If it doesn't it is because the two connectors are sending different data, you just haven't received any Defender for Endpoint alerts in 7 days, while you have received advanced hunting data or other Defender product alerts.