Forum Discussion
SalmanKhan
Oct 03, 2020Copper Contributor
Windows Firewall logs are enabled, but they do not show up in Sentinel
Hello, We have MMA agent installed on 26 windows server, but we are not getting into Sentinel. I can not see any table named "WindowsFirewall" either. Do the tables appear when data starts pour...
CliveWatson
Microsoft
Oct 05, 2020
Have you told the MMA to start collecting data, the 2 ways of doing that are:
1. Look under Advanced settings, in your screen shot and add the Event Logs items you need
2. Enable a Azure Sentinel connector
Do you have any data from the Agents, if you do it should be in the Heartbeat table:
Heartbeat
| summarize count(), arg_max(TimeGenerated,*) by Computer
- SalmanKhanOct 05, 2020Copper Contributor
CliveWatson Thanks for the prompt response.
Yes, I have configured Event logs and I can see output when I run the heartbeat query that you have mentioned. Following is the configuration for event logs - I have added everything that says "Firewall" to be safe, but it still does not help.
If you see below, this is how the front page of Sentinel looks like:
Is it possible that I need to tune it on the windows firewall (on the servers) as well, so that they are sent over to Sentinel?
- CliveWatsonOct 05, 2020
Microsoft
Logs configured as you have done, go into the Events Table
Event | summarize count() by EventLog
,
Have you looked here, this is how we ask you to configure this in Sentinel? https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-firewall- SalmanKhanOct 05, 2020Copper Contributor
CliveWatson Thanks a lot.
I have now removed the collection via event-logs and have now configured Data Connector for Windows Defender Firewall with Advanced Security. Should it take some time before I see logs coming in?
Would it also help in getting the map "Potential malicious events" to get live?
Thanks for your help Clive 🙂 Much appreciated.