Skip to main content
Go to Red Canary Documentation
Red Canary Support

Verify a Defender for Endpoint Agent is Collecting Telemetry with KQL

  • Updated .

Issue

The Red Canary Portal or daily summary email indicates an endpoint is not collecting telemetry and the Last Activity timestamp on the endpoint record is not updating.  User would like to use the Defender XDR console to validate whether a Defender for Endpoint agent is collecting data.

Environment

Microsoft Defender for Endpoint

Resolution

To verify that MDE is receiving process and network events you will need to perform the following steps:

  1. From the Defender XDR console, navigate to Investigation & Response > Hunting > Advanced Hunting
  2. Set desired time range of search
  3. Run either KQL query below to review process or network-related telemetry
    • Substitute Your Sensor ID Here with the sensor ID in parentheses from the Red Canary Portal (e.g. MyMachine01.domain.com (abc123def456ghi789jkl0123mno456pqr789stu0)), though leave the value in double quotes
    • // Process telemetry search
DeviceProcessEvents
    | where DeviceId=="Your Sensor ID Here"
    | order by Timestamp desc
    | limit 10
    • // Network telemetry search
DeviceNetworkEvents
    | where DeviceId=="Your Sensor ID Here"
    | order by Timestamp desc
    | limit 10
  4. In the table below the query field, the most recent Process or Network events the Defender agent has collected and sent to Microsoft will be returned
  5. If the host is online and actively collecting telemetry, the timestamp of these events should be close to realtime and is evidence that Defender XDR is collecting events for this host
  6. If data is not being returned, or the timestamps show aged data, the endpoint may not be collecting data, the host is offline, or the agent is using a new Sensor ID
  7. To identity a system with a new Sensor ID, try searching instead by hostname
    • // Searching telemetry by hostname
DeviceNetworkEvents
    | where DeviceName=="Your FQDN or hostname, as it appears in Defender XDR console"
    | order by Timestamp desc
    | limit 10
  8. If only this search returns up-to-date data, compare the Sensor ID to the record in Red Canary Portal.  A difference in these values may indicate the Sensor ID has changed and the uncommunicative endpoint is a stale record ready to be decommissioned.  Search the new Sensor ID in Red Canary to confirm.
  9. If the alternative search does not yield results, troubleshoot the agent, run Microsoft's client analyzer, or open a ticket with Microsoft Support

Cause

The event timeline in the Defender XDR console shows events from multiple schema tables and is not reliably indicative of whether an endpoint is collecting telemetry.  Meanwhile, the DeviceProcessEvents and DeviceNetworkEvents tables include the type of data Red Canary considers telemetry.