Defender For Cloud Apps /MITREBehaviors.md cannot pull from Behaviorinfo/BehaviorEntities tables

Bert-JanP / Hunting-Queries-Detection-Rules

KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.

https://kqlquery.com

BSD 3-Clause "New" or "Revised" License

1.14k stars 212 forks source link

Defender For Cloud Apps /MITREBehaviors.md cannot pull from Behaviorinfo/BehaviorEntities tables #47

Closed verdensdalle closed 2 months ago

verdensdalle commented 2 months ago

Hi,

I'm having trouble with Behavior Detections in Sentinel. It states that you should be able to pull from the Behaviorinfo/BehaviorEntities tables from Sentinel. However i cannot pull from these tables, and the connectors are in place. I can also not confirm in any ms documentation that you should be able to, only that you can do it in the defender portal using advanced hunting. (which works)

Am i missing something? Or can you only do it from the defender portal/advanced huting?

Bert-JanP commented 2 months ago

Hi.

The BehaviorInfo (and BehaviorEntities) table in Advanced Hunting is related to the Defender For Cloud Apps activities, at the moment this table cannot be forwarded to Sentinel.

The behavior tables (such as BehaviorAnalytics) in Sentinel to which you refer are related to UEBA and not accessible in Advanced Hunting.

If you have unified XDR you can use Sentinel data in combination with this data in advanced hunting.