Share via

Categories AdvancedHunting-IdentityLogonEvents are not supported.

Shahani Silva 0 Reputation points
2025-02-25T10:08:02.3966667+00:00

Hi All,

I am getting this error ( Server error - Categories AdvancedHunting-IdentityLogonEvents are not supported) when trying to onboard the Identity tables to sentinel.

I checked the clients Defender portal and they have the IdentityLogonEvents table, with no data. They also have an E5 O365 license (no teams) but I can see that Defender for Identity is selected in one of their accounts.

The account that they are using to do the configuration has global and security admin, and we have given them the contributor role from our tenant.

Does anyone have any idea what the issue might be?

Thanks in advance

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,242 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Givary-MSFT 35,456 Reputation points Microsoft Employee
    2025-02-28T08:53:28.7033333+00:00

    @Anonymous Apologies for the delayed response, As per our documentation - The IdentityLogonEvents table in the advanced hunting schema contains information about authentication activities made through your on-premises Active Directory captured by Microsoft Defender for Identity and authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps.

    Do you have that turned on in UEBA and Defender for Identity enabled and licensed?

    Also, would recommend to review their security.microsoft.com instance, to check what is enabled and what's not?

    Let me know if you have any further questions, feel free to post back.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.