Forum Discussion
Re: SecurityAlert (MDATP) showing disable and we are not receiving logs In sentinel from M365 Defender
Humza_Bukhari did you verified the permissions as well?
try to run the below query on your analytic workspace to see if there is any logs ingested from defender
let Now = now();
(range TimeGenerated from ago(14d) to Now-1d step 1d
| extend Count = 0
| union isfuzzy=true (
SecurityIncident
| where ProviderName == "Microsoft 365 Defender"
| summarize Count = count() by bin_at(TimeGenerated, 1d, Now)
)
| summarize Count=max(Count) by bin_at(TimeGenerated, 1d, Now)
| sort by TimeGenerated
| project Value = iff(isnull(Count), 0, Count), Time = TimeGenerated, Legend = "Events")
| render timechart
9 Replies
LauriK000 thats means you have data ingested to the your analytics workspace through the connector . did you try to simulate an alert in MDE to check if your will get an incident created in MDE ? Dont forget to enable the Analytic rule to trigger incidents
elieelkarkafi yes i have verified the permissions i have . plus this is what i get response by running this query which you provide .
Humza_Bukhari ok let's do this exercise, from one of your devices onboarded to MDE create a malicious test file using the below link, save it as EICAR.com on the desktop and let MDE catch it and remediate it and check the alerts in the portal and keep an eye at the same time in Sentinel to see if this will trigger the signal
How to Create a Malicious Test File (EICAR) - Carbon Black Community
elieelkarkafi hi bro, i have configured and connect the data connector of defender with microsoft sentinel but i am still unable to receive these data
