search
ProductBook a demoOpen app

Microsoft 365 Defender Data Troubleshooting

Troubleshoot data issues related to Microsoft 365 Defender endpoint data.

In this guide, you will troubleshoot Microsoft Defender for Endpoint data issues in Radiant Security, including ingestion failures, missing events, and delayed alerts.

hashtag
Verify that devices are present in the portal

  1. Open the Microsoft security portal at https://security.microsoft.com/arrow-up-right.

  2. Navigate to Assets > Devices.

  3. Under Computers & Mobile, verify that all expected devices are present in the portal.

  4. If all of the expected devices are listed here, proceed to the next section, if not, your devices may not be enrolled in Microsoft 365 Defender for Endpoint

hashtag
Verify that endpoint data is available

This section will help you determine if the expected devices are producing endpoint data that the connection is able to query and fetch.

  1. Open the Microsoft security portal at https://security.microsoft.com/arrow-up-right

  2. Navigate to Hunting > Advanced Hunting.

  3. Create a new query by clicking the + button. Then, run the following queries over the last 7 days:

  1. Verify the outputs and determine if the results match the expected number of devices producing data. The following screenshots provide examples of 2 enrolled devices and 2 devices producing data.

If these two troubleshooting steps show fewer devices than expected, then the devices have either not been enrolled in in Microsoft 365 Defender for Endpoint or, they may be enrolled in another account.

circle-info

Note: If you can see the number of devices expected, this may indicate that the Radiant Security Service account does not have the permissions to see the number of devices that your account has access to.

PreviousFeedback & Support ButtonNextSubmit a feature request

Last updated

Was this helpful?