When do items show on the Potential malicious events map?

GaryBushey 

I spoke to this in my first reply.

This normally indicates you don't have data in at least of one the 6 tables + a MaliciousIP address match.

Do you have any Inbound or Outbound traffic, show up on the Sentinel Home Page - that would indicate you have the right data and a match?  

If this counter on the map is Zero - then we dont have a match.  Essentially there is a feed of known Malicious IP addresses, if they correlate / match one that is seen in your logs then the counter goes from zero to 1 etc...   e.g. there is known IP of 1.1.1.1 and it was seen in your CEF logs (CommonsecuityLog), so that device (probably a Firewall) has a match with a know malicious IP . 

For this to occur you need to have a machine on the Internet (Public IP) and for it to get probed with a Malicious IP into one of the six tables we check.  If you have no machines on the internet or are blocking the log data in some way - you may not see these? 

Not having any Malicious IPs is a good thing - but you may want to carefully test this by exposing a machine (isolated from your others) for a short while to prove the capability is working.