I am not going to make this post overly complicated... 

DeviceFileEvents table is rarely accurate even when you would need it most

Take 1 line of C++

rename("C:\\temp\\shouldwork.xlsx","c:\\temp\\shouldwork.xlsx.veryevil");

As we know, ransomware frequently renames files... however, compile that into a C++ exe and your Excel doc will be renamed and no log will exist for that in Sentinel....  In my support ticket, Microsoft admitted they don't log everything (seriously, not even from never seen before EXE file?  This is laughable for a security tool).

So yeah, just be aware your "security" rules may never even work if an incident happens...

The irony is Microsoft wants us to pay for more support to get this "Fixed" even though doing a favor by finding a security glitch in the product.  The support has been awful.

Can someone at Microsoft please look into why Sentinel doesn't log Every Single file rename attempt from never seen before EXE files?  Very bad design....

We have found at least 3 other similar issues and no one cares to address or get the problem fixed...

The argument of having too much data to logic is very stupid because at the least you should be logging events from uncommon/never seen before EXEs.   Bad design....

Same thing for DLL Load events and DeviceEvents ActionTypes... don