@James Hamil For the second part DeviceNetworkEvents logs as I understand we have to install MMA agent.
For the First, Sign in logs in LAW only show logs of Azure AD. The screenshot shows the logs from an on-prem server to an on-prem DC. I think it is the MDI agent that is sending logs and ending up in Microsoft 365 security portal.
What is the source of these logs in Microsoft 365 Security portal
RT-7199
511
Reputation points
Under Advanced Hunting in security.microsoft.com portal I can find logs of logon attempts between 2 on-prem servers. From a 2016 server to a DC. I cannot figure out how they ended in Microsoft 365 portal. These are the Agents installed on DC.
If this is from ATP sensor, then why I don't see DeviceInfo or DeviceNetworkEvents for the either Server like I do for for workstations
DeviceInfo
| where DeviceName contains "dc-xxxx"
I don't get any results for above query when done for a server. But do get server results for IdentityLogonEvents query
1 answer
Sort by: Most helpful
-
RT-7199 511 Reputation points
2021-01-29T06:48:37.767+00:00