Forum Discussion

Humza_Bukhari's avatar
Humza_Bukhari
Copper Contributor
Sep 22, 2023

SecurityAlert (MDATP) showing disable and we are not receiving logs In sentinel from M365 Defender

We have tried every possible way but still we are unable to receive any logs after connecting the data connector in sentinel for microsoft defender 365 .  SecurityAlert (MDATP) is showing disable . s...
Humza_Bukhari's avatar
Humza_Bukhari
Copper Contributor
Sep 22, 2023

elieelkarkafi  yes as you can see i have already created this but unfortunately didnt get any logs . i have tried every possible way but all in vain

 

elieelkarkafi's avatar
elieelkarkafi
MVP
Sep 22, 2023

Humza_Bukhari did you verified the permissions as well? 

 

try to run the below query on your analytic workspace to see if there is any logs ingested from defender 

 

let Now = now();
(range TimeGenerated from ago(14d) to Now-1d step 1d
| extend Count = 0
| union isfuzzy=true (
SecurityIncident
| where ProviderName == "Microsoft 365 Defender"
| summarize Count = count() by bin_at(TimeGenerated, 1d, Now)
)
| summarize Count=max(Count) by bin_at(TimeGenerated, 1d, Now)
| sort by TimeGenerated
| project Value = iff(isnull(Count), 0, Count), Time = TimeGenerated, Legend = "Events")
| render timechart

 

 

  • elieelkarkafi's avatar
    elieelkarkafi
    MVP
    Oct 18, 2023

    LauriK000 thats means you have data ingested to the your analytics workspace through the connector . did you try to simulate an alert in MDE to check if your will get an incident created in MDE ? Dont forget to enable the Analytic rule to trigger incidents 

  • LauriK000's avatar
    LauriK000
    Copper Contributor
    Oct 18, 2023

    Hi elieelkarkafi 

    I have the same issue but the given command gives me the following response.

     

  • elieelkarkafi's avatar
    elieelkarkafi
    MVP
    Sep 26, 2023
    if you configured and checked all the above option and you triggered an alert and still no data ingested to sentinel to MDE , than you have something wrong in the backend and the only way is to contact the Microsoft security support team to check your tenant
  • Humza_Bukhari's avatar
    Humza_Bukhari
    Copper Contributor
    Sep 26, 2023
    Please guide me how can i get these logs into the sentinel.
  • Humza_Bukhari's avatar
    Humza_Bukhari
    Copper Contributor
    Sep 26, 2023

    elieelkarkafi  hi bro, i have configured and connect the data connector of defender with microsoft sentinel but i am still unable to receive these data 

     

  • Humza_Bukhari's avatar
    Humza_Bukhari
    Copper Contributor
    Sep 22, 2023
    okay i have tried this , lets c what happened and will update you
  • Humza_Bukhari's avatar
    Humza_Bukhari
    Copper Contributor
    Sep 22, 2023

    elieelkarkafi  yes i have verified the permissions i have . plus this is what i get response by running this query which you provide .

     

Resources