Once Microsoft Defender for Endpoint has been installed properly on a device, a device page will be generated in the portal. You can review all recorded events in the timeline tab in the device page, or in advanced hunting page. This section troubleshoots the case of some or all expected events are missing. For instance, if all CreatedFile events are missing.
Contents
Missing network and login events
Microsoft Defender for Endpoint utilized audit framework from linux to track network and login activity.
- Make sure audit framework is working.
Bash
service auditd statusexpected output:
Output● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2020-12-21 10:48:02 IST; 2 weeks 0 days ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 16689 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE) Process: 16665 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS) Main PID: 16666 (auditd) Tasks: 25 CGroup: /system.slice/auditd.service ├─16666 /sbin/auditd ├─16668 /sbin/audispd ├─16670 /usr/sbin/sedispatch └─16671 /opt/microsoft/mdatp/sbin/mdatp_audisp_plugin -d - If
auditdis marked as stopped, start it.Bashservice auditd start
On SLES systems, SYSCALL auditing in auditd might be disabled by default and can be accounted for missing events.
- To validate that SYSCALL auditing is not disabled, list the current audit rules:
Bash
sudo auditctl -lif the following line is present, remove it or edit it to enable Microsoft Defender for Endpoint to track specific SYSCALLs.
Output-a task, neveraudit rules are located at
/etc/audit/rules.d/audit.rules.
Missing file events
File events are collected with fanotify framework. In case some or all file events are missing, make sure fanotify is enabled on the device and that the file system is supported.
List the filesystems on the machine with:
df -Th