Forum Discussion
Default Sentinel Overview dashboard widgets indicate no data. Where is the query for the map?
I'm monitoring IIS, Apache, RDP servers that are accessible from the Internet. The default Sentinel Overview dashboard sometimes displays a little information in the map, but so far that has been limited to one country or region at a time. Thanks to the cesspool that is the Internet, I have plenty of data pertaining to recon from all over the world. Why would the map show only one location? Or, as it is today, be blank?
Where is there query that Sentinel uses to make the map?
Maybe the time window is less than an hour...? During the past hour I had connections from IIS connection attempts from South Africa and Thailand, but none during the past 3 minutes.
This is what I've seen over the past 24 hours.
- Hello
I just started reading about sentinel and I would like to analyse IIS Logs in Sentinel.
What type of data connector should I use or how can I import IIS Logs ?
Thanks- CliveWatson
Microsoft
https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-iis-logs
Enable the collection (as per the above link) and Logs will transfer from any machine that has the Log Analytics agent and IIS into the workspace, for Sentinel or Log Analytics to query.
- CliveWatson
PeterSchawacker this might be too obvious, but the map it centered, so if you use your mouse to drag the view to SA or Thailand or zoom out do they show up? If not can you share your query, in case there is an issue with it?
If you click on the map (place cursor on the orange hotspot and click) you should see the query used?
For just IIS logs and as a quick test, you can use an example of:
W3CIISLog | extend TrafficDirection = "InboundOrUnknown", Country=RemoteIPCountry, Latitude=RemoteIPLatitude, Longitude=RemoteIPLongitude | where isnotempty(MaliciousIP) | summarize count() by TrafficDirection, MaliciousIP , RemoteIPCountry
- Valon_Kolica
Ofer_Shezaf: Is this something you can help with?
