• Install & Activate
  • Troubleshooting
BEST Antivirus KBS : Largest Anti-Malware Knowlegde Base and Support
  • Install & Activate
  • Troubleshooting

Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint on Linux

/Troubleshoot Problems / Troubleshooting Microsoft / Troubleshoot Problems / Troubleshooting Microsoft / Troubleshooting Microsoft Endpoint / Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint on Linux
  • December 23, 2021
  • BEST Antivirus Staff 2
  • Troubleshooting Microsoft / Troubleshooting Microsoft Endpoint

Contents

  1. Missing network and login events
  2. Missing file events
    1. Source : Official Microsoft Brand Editor by : BEST Antivirus KBS Team
0
(0)

This article provides some general steps to mitigate missing events or alerts in the Microsoft 365 Defender portal.

Once Microsoft Defender for Endpoint has been installed properly on a device, a device page will be generated in the portal. You can review all recorded events in the timeline tab in the device page, or in advanced hunting page. This section troubleshoots the case of some or all expected events are missing. For instance, if all CreatedFile events are missing.

Missing network and login events

Microsoft Defender for Endpoint utilized audit framework from linux to track network and login activity.

  1. Make sure audit framework is working.
    Bash

    service auditd status
    

    expected output:

    Output

    ● auditd.service - Security Auditing Service
    Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
    Active: active (running) since Mon 2020-12-21 10:48:02 IST; 2 weeks 0 days ago
        Docs: man:auditd(8)
            https://github.com/linux-audit/audit-documentation
    Process: 16689 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE)
    Process: 16665 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
    Main PID: 16666 (auditd)
        Tasks: 25
    CGroup: /system.slice/auditd.service
            ├─16666 /sbin/auditd
            ├─16668 /sbin/audispd
            ├─16670 /usr/sbin/sedispatch
            └─16671 /opt/microsoft/mdatp/sbin/mdatp_audisp_plugin -d
    
  2. If auditd is marked as stopped, start it.
    Bash

    service auditd start
    

On SLES systems, SYSCALL auditing in auditd might be disabled by default and can be accounted for missing events.

  1. To validate that SYSCALL auditing is not disabled, list the current audit rules:
    Bash

    sudo auditctl -l
    

    if the following line is present, remove it or edit it to enable Microsoft Defender for Endpoint to track specific SYSCALLs.

    Output

    -a task, never
    

    audit rules are located at /etc/audit/rules.d/audit.rules.

Missing file events

File events are collected with fanotify framework. In case some or all file events are missing, make sure fanotify is enabled on the device and that the file system is supported.

List the filesystems on the machine with:

Bash

df -Th

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

Tagged: Fix MicrosoftFix Microsoft for Endpoint

Related Articles

  • All about Microsoft

  • Microsoft Defender for Business (preview) troubleshooting

  • Support and troubleshooting Microsoft Defender for Cloud Apps

  • Troubleshooting – What is *.cas.ms, *.mcas.ms, or *.mcas-gov.us? (Microsoft)

  • Troubleshooting access and session controls (Microsoft)

  • Troubleshooting the SIEM agent (Microsoft)

ask or enter a search term

Top Rated Posts

5 (1)

Identity Protection – Enrolment/Registering (TotalAV)

5 (1)

All about Bitdefender Antivirus

5 (1)

Base Filtering Engine not found (Kaspersky)

5 (1)

[KB7857] Set up an HTTPS/SSL connection for ESET PROTECT (8.x) Linux

5 (1)

Installing on iPhone & iPad

About

We are BEST Antivirus , Trusted Comparison and Cheap Antivirus Software 2020. KBS is Knowledge Base and Support : This page was created to guide customers through the installation and to resolve all the common errors of anti-virus software.

Partners

› Avast
› AVG
› BitDefender
› ESET
› Trend Micro
› All Partners

Resources

› Store
› Advertise
› Brand Reviews
› Review Platforms
› Contact Page
› Knowledge Base

  • Install & Activate
  • Troubleshooting
© Copyright by BEST Antivirus by SSG Limited