What is the source of these logs in Microsoft 365 Security portal

RT-7199 511 Reputation points
2021-01-27T05:23:08.073+00:00

Under Advanced Hunting in security.microsoft.com portal I can find logs of logon attempts between 2 on-prem servers. From a 2016 server to a DC. I cannot figure out how they ended in Microsoft 365 portal. These are the Agents installed on DC.

60788-screenshot-2021-01-26-204712.jpg
60814-screenshot-2021-01-26-090715.jpg

If this is from ATP sensor, then why I don't see DeviceInfo or DeviceNetworkEvents for the either Server like I do for for workstations

DeviceInfo
| where DeviceName contains "dc-xxxx"

I don't get any results for above query when done for a server. But do get server results for IdentityLogonEvents query

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,435 questions
{count} votes

1 answer

Sort by: Most helpful
  1. RT-7199 511 Reputation points
    2021-01-29T06:48:37.767+00:00

    @James Hamil For the second part DeviceNetworkEvents logs as I understand we have to install MMA agent.
    For the First, Sign in logs in LAW only show logs of Azure AD. The screenshot shows the logs from an on-prem server to an on-prem DC. I think it is the MDI agent that is sending logs and ending up in Microsoft 365 security portal.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.