cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Inconsistent Last Log Received Data

Dean Gross
Silver Contributor

‎Oct 03 2022 10:45 AM

‎Oct 03 2022 10:45 AM

Inconsistent Last Log Received Data

Can anyone help me understand why the Microsoft Defender for Endpoint connector does not have a value in the Last Log Received field, but the Microsoft 365 Defender (Preview) does show Endpoint events from a few minutes ago

1,079 Views
0 Likes
3 Replies
Reply
3 Replies
Clive_Watson

‎Oct 03 2022 12:59 PM

‎Oct 03 2022 12:59 PM

Re: Inconsistent Last Log Received Data

I have values in both of mine (MDE even has it when the preview isn't enabled)
0 Likes
Reply
-jmn-

‎Oct 04 2022 06:03 AM

‎Oct 04 2022 06:03 AM

Re: Inconsistent Last Log Received Data

The preview is the new unified connector. In my experience, turning it on disables endpoint events from the old connector. I'd stick with the preview. The old connector will only do alerts and incidents (and maybe action center items) while with the new connector you can send events from advanced hunting. I have an environment still on the old connector, going to switch over to see if there is any impact on the old connector.
0 Likes
Reply
-jmn-

‎Oct 04 2022 07:57 AM

‎Oct 04 2022 07:57 AM

Re: Inconsistent Last Log Received Data

@-jmn- 

Done some digging. If you have just MDE enabled in the new unified connector, one should take over the other, but the last log received should be populated on both. The old connector is essentially doing this to get the last log time:

SecurityAlert
| where ProviderName == "MDATP"
| summarize arg_max(TimeGenerated, *)
| project LastLogTime = TimeGenerated

It also appears to run the query over a 7 day period. I imagine the preview connector looks something more like this:

SecurityAlert
| where ProviderName in ("MDATP", "MDI", "MDO", "MCAS")
| summarize arg_max(TimeGenerated, *) by ProviderName
| project ProviderName, TimeGenerated

This is over simplified in order to compare to the original connector, but the point is the preview connector can send advanced hunting data. The original cannot. If you run the first query, does it return any results? If it doesn't it is because the two connectors are sending different data, you just haven't received any Defender for Endpoint alerts in 7 days, while you have received advanced hunting data or other Defender product alerts.

1 Like
Reply