When running a cloud Threat Defense for Active Directory (TDAD) proof-of-concept (PoC) and testing generating events and incidents, in some cases an event is not generating a corresponding incident in the Integrated Cyber Defense Manager (ICDm) console when it is supposed to do so. The event is visible in the client's activity history, but there are missing values under the "Actor process" section of the event.

Component : Active Directory 

File and Folder exclusions of test tools cause the protection engine not to track related processes.

1. Ensure the test computer is in a Device Group reserved for testing only
2. Open the assigned Antimalware policy for the test Device Group, or create a new one if it shares a policy with other Device Groups
3. Under Intensity Level, click Show Advanced next to Advanced Intensity Settings
4. Enable Monitor Mode to only log detections, but not take action
5. Save and apply the policy to the test Device Group
6. Confirm the policy has updated on the test computer, then copy any necessary tools out of the excluded folder to another location
7. Run the PoC tests
8. When done, delete the copies of the tools and either move the computer out of the test group, or disable Monitor Mode in the Antimalware policy