Azure / Azure-Sentinel

Cloud-native SIEM for intelligent security analytics for your entire enterprise.
https://azure.microsoft.com/en-us/services/azure-sentinel/
MIT License
4.58k stars 3.01k forks source link

Azure Sentinel Solution Defender XDR missing fields in table DeviceProcessEvent #11034

Closed MikeP324 closed 1 month ago

MikeP324 commented 2 months ago

Describe the bug The Azure Sentinel Solution Defender XDR is missing the following fields in the table DeviceProcessEvent.

To Reproduce Steps to reproduce the behavior:

  1. Using Defender AH, review the schema for table DeviceProcessEvent.
  2. Using Sentinel logs view, review the schema for table DeviceProcess event.
  3. Note the missing fields.

Expected behavior The fields should be present, having these fields would assist in using Sentinel for searching for RDP sessions.

v-rusraut commented 2 months ago

Hi @MikeP324 , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 05-09-2024. Thanks!

v-rusraut commented 1 month ago

Hi @MikeP324,

Please share the schema definition of table DeviceProcessEvents from both Defender Portal and Sentinel side to below email id. Email ID : v-rusraut@microsoft.com Please refer below query to get schema definition

DeviceProcessEvents
| getschema 

Thanks

MikeP324 commented 1 month ago

Hi @v-rusraut, I have attached the schema information for both sides as requested.

DeviceProcessEvents - Schema - Defender.csv DeviceProcessEvents - Schema - Sentinel.csv

v-rusraut commented 1 month ago

Hi @MikeP324, There is no column present with name 'InitiatingProcessRemoteDeviceName' at Defender side. Are you referring column 'InitiatingProcessRemoteSessionDeviceName' ?

MikeP324 commented 1 month ago

Hi @v-rusraut, just checked and it was a typo on my part.

The correct column is 'InitiatingProcessRemoteSessionDeviceName'.

v-rusraut commented 1 month ago

Hi @MikeP324, could you please open support case in azure portal, so our support team can check on you issue and if required connect with respective teams. Please let us know, once you open the case, so we close from GitHub.

MikeP324 commented 1 month ago

@v-rusraut - Just happens I received a comment from a Saar Cohen on the 9th September against the article - https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/detect-compromised-rdp-sessions-with-microsoft-defender-for/ba-p/4201003

The commend was they were looking to fix this issue by the end of the month so fingers crossed I don't need to open a Azure support ticket.

v-rusraut commented 1 month ago

Hi @MikeP324, Thanks for your response, so currently closing this issue. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation.