DFI/DFE and IdentityQueryEvents DNS events
Should I expect to see any DNS query events from DFE endpoints in the IdentityQueryEvents schema table if I have DFI enabled? This doc - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide#get-schema-information-in-the-security-center - states the IdentityQueryEvents schema is for "Queries for Active Directory objects, such as users, groups, devices, and domains", but I my understanding was DNS query events from DFE endpoints would show up in the DeviceNetworkEvents schema table.
No alerts getiing displayed ( DEFENDER FOR IDENTITY )
Hi, so i've recently setup the senor on DC and the status is healthy and running and i'm also able to recieve the test syslog on my SIEM, but i'm not getting any actual alerts on my SIEM or on the Cloud apps portal under the alerts and yes i;ve enabled the cloudapp - identity integration. What could be the issue ? Or How long does it takes for the alerts to actually get displayed once the sensor is deployed ?
Is Streaming API Free to Use?
I would like to use the Streaming API in the link detailed below https://docs.microsoft.com/en-us/microsoft-365/security/defender/streaming-api?view=o365-worldwide However, I can't seem to find if this is a paid additional feature or not. Our business has the Enterprise O365 security stack but wasn't sure if this was an additional cost. Can anyone confirm if Streaming API is a paid feature or not?
