Forum Discussion
SecurityAlert (MDATP) showing disable and we are not receiving logs In sentinel from M365 Defender
Humza_Bukhari did you verified the permissions as well?
try to run the below query on your analytic workspace to see if there is any logs ingested from defender
let Now = now();
(range TimeGenerated from ago(14d) to Now-1d step 1d
| extend Count = 0
| union isfuzzy=true (
SecurityIncident
| where ProviderName == "Microsoft 365 Defender"
| summarize Count = count() by bin_at(TimeGenerated, 1d, Now)
)
| summarize Count=max(Count) by bin_at(TimeGenerated, 1d, Now)
| sort by TimeGenerated
| project Value = iff(isnull(Count), 0, Count), Time = TimeGenerated, Legend = "Events")
| render timechart
elieelkarkafi yes i have verified the permissions i have . plus this is what i get response by running this query which you provide .
- okay elieelkarkafi thank you for your support
- if you configured and checked all the above option and you triggered an alert and still no data ingested to sentinel to MDE , than you have something wrong in the backend and the only way is to contact the Microsoft security support team to check your tenant
- Please guide me how can i get these logs into the sentinel.
elieelkarkafi hi bro, i have configured and connect the data connector of defender with microsoft sentinel but i am still unable to receive these data
- okay i have tried this , lets c what happened and will update you
Humza_Bukhari ok let's do this exercise, from one of your devices onboarded to MDE create a malicious test file using the below link, save it as EICAR.com on the desktop and let MDE catch it and remediate it and check the alerts in the portal and keep an eye at the same time in Sentinel to see if this will trigger the signal
How to Create a Malicious Test File (EICAR) - Carbon Black Community