Once Microsoft Defender for Endpoint has been installed properly on a device, a device page will be generated in the portal. You can review all recorded events in the timeline tab in the device page, or in advanced hunting page. This section troubleshoots the case of some or all expected events are missing. For instance, if all CreatedFile events are missing.
Missing network and login events
Microsoft Defender for Endpoint utilized
audit framework from linux to track network and login activity.
- Make sure audit framework is working.
service auditd status
● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2020-12-21 10:48:02 IST; 2 weeks 0 days ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 16689 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE) Process: 16665 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS) Main PID: 16666 (auditd) Tasks: 25 CGroup: /system.slice/auditd.service ├─16666 /sbin/auditd ├─16668 /sbin/audispd ├─16670 /usr/sbin/sedispatch └─16671 /opt/microsoft/mdatp/sbin/mdatp_audisp_plugin -d
auditdis marked as stopped, start it.Bash
service auditd start
On SLES systems, SYSCALL auditing in
auditd might be disabled by default and can be accounted for missing events.
- To validate that SYSCALL auditing is not disabled, list the current audit rules:
sudo auditctl -l
if the following line is present, remove it or edit it to enable Microsoft Defender for Endpoint to track specific SYSCALLs.Output
-a task, never
audit rules are located at
Missing file events
File events are collected with
fanotify framework. In case some or all file events are missing, make sure
fanotify is enabled on the device and that the file system is supported.
List the filesystems on the machine with: