Closed MikeP324 closed 1 month ago
Hi @MikeP324 , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 05-09-2024. Thanks!
Hi @MikeP324,
Please share the schema definition of table DeviceProcessEvents
from both Defender Portal and Sentinel side to below email id.
Email ID : v-rusraut@microsoft.com
Please refer below query to get schema definition
DeviceProcessEvents
| getschema
Thanks
Hi @v-rusraut, I have attached the schema information for both sides as requested.
DeviceProcessEvents - Schema - Defender.csv DeviceProcessEvents - Schema - Sentinel.csv
Hi @MikeP324, There is no column present with name 'InitiatingProcessRemoteDeviceName' at Defender side. Are you referring column 'InitiatingProcessRemoteSessionDeviceName' ?
Hi @v-rusraut, just checked and it was a typo on my part.
The correct column is 'InitiatingProcessRemoteSessionDeviceName'.
Hi @MikeP324, could you please open support case in azure portal, so our support team can check on you issue and if required connect with respective teams. Please let us know, once you open the case, so we close from GitHub.
@v-rusraut - Just happens I received a comment from a Saar Cohen on the 9th September against the article - https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/detect-compromised-rdp-sessions-with-microsoft-defender-for/ba-p/4201003
The commend was they were looking to fix this issue by the end of the month so fingers crossed I don't need to open a Azure support ticket.
Hi @MikeP324, Thanks for your response, so currently closing this issue. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation.
Describe the bug The Azure Sentinel Solution Defender XDR is missing the following fields in the table DeviceProcessEvent.
To Reproduce Steps to reproduce the behavior:
Expected behavior The fields should be present, having these fields would assist in using Sentinel for searching for RDP sessions.