Share via

Microsoft Defender XDR Hunting Tables and Timeline Missing Despite Full E5 & Device Onboarding

Nitin Nagar 0 Reputation points
2025-06-10T21:07:02.9833333+00:00

Description: We are encountering a backend schema ingestion failure. Our device (bhtnitin01) is fully onboarded to Microsoft Defender for Endpoint, with Defender AV and sensor running in Normal mode.

The device is visible in the MDE device inventory

Defender AV: ✅ Normal

Sense service: ✅ Running

Real-time protection: ✅ Enabled

User has full E5 license and is a Global + Security Admin

However:

  • No timeline events are available for the device

Advanced Hunting shows no DeviceInfo, DeviceEvents, or MDE-related tables

We’ve confirmed it’s not an RBAC, license, or AV issue

Request: Force re-ingestion of MDE telemetry into Microsoft 365 Defender unified portal and repair broken schema sync.Description:

We are encountering a backend schema ingestion failure. Our device (bhtnitin01) is fully onboarded to Microsoft Defender for Endpoint, with Defender AV and sensor running in Normal mode.

The device is visible in the MDE device inventory

Defender AV: ✅ Normal

Sense service: ✅ Running

Real-time protection: ✅ Enabled

User has full E5 license and is a Global + Security Admin

However:

No timeline events are available for the device

Advanced Hunting shows no DeviceInfo, DeviceEvents, or MDE-related tables

We’ve confirmed it’s not an RBAC, license, or AV issue

Request: Force re-ingestion of MDE telemetry into Microsoft 365 Defender unified portal and repair broken schema sync.

Microsoft Security | Microsoft Defender | Other

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. adaltro muniz 0 Reputation points
    2026-04-23T19:31:43.31+00:00

    Estou enfrentando o seguinte problema. Tenho 2 dispositivos no portal de segurança com licença p2/MDE sensor ativo/operando, um gerenciado via intune e outro gerenciado via gpo. Ambos mostra na timeline o evento de um teste realizado internamente. Porém, apenas o gerenciado via intune mostra esse evento na busca avançada via KQL. Como resolver/visualizar na busca avançada o evento de ambos dispositivos?

    Was this answer helpful?

    0 comments
  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  3. Gubbala Hari Krishna Phani Kumar 0 Reputation points Microsoft External Staff
    2025-09-12T18:05:56.05+00:00

    To clarify:

    • Defender Timeline data is retained for up to 180 days, but only if the device is actively communicating with the Microsoft Defender for Endpoint (MDE) portal.
    • If the device is not communicating, the timeline will appear blank.
    • This can happen due to sensor misconfiguration, network restrictions, or service disruptions that prevent telemetry from reaching the portal.

    For timeline data to be visible, the device must be:

    • Properly onboarded to Defender for Endpoint
    • Actively sending telemetry to the MDE portal

    Was this answer helpful?

  4. Jose Benjamin Solis Nolasco 8,076 Reputation points Volunteer Moderator
    2025-06-10T23:33:57.1966667+00:00

    @Nitin Nagar I hope you are doing well,

    Welcome to Microsoft Q&A

    Looks like a issue with the backend telemetry please Open a Microsoft Support Case

    If telemetry is still not reaching Defender XDR, after you did those troubleshooting's steps

    • Re-ingest missing telemetry
    • Repair schema link between MDE and Defender XDR
    • Review RBAC, License and AV issues

    Use this link to start: Microsoft Support for Defender (https://learn.microsoft.com/en-us/defender-endpoint/contact-support)

    Choose issue: “Data not appearing in Advanced Hunting” or "Device timeline missing".

    And thats all for open the case...

    😊 If my answer helped you resolve your issue, please consider marking it as the correct answer. This helps others in the community find solutions more easily. Thanks!

    Was this answer helpful?

  5. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.