Forum Discussion
Windows Firewall logs are enabled, but they do not show up in Sentinel
Microsoft
Have you told the MMA to start collecting data, the 2 ways of doing that are:
1. Look under Advanced settings, in your screen shot and add the Event Logs items you need
2. Enable a Azure Sentinel connector
Do you have any data from the Agents, if you do it should be in the Heartbeat table:
Heartbeat
| summarize count(), arg_max(TimeGenerated,*) by Computer
CliveWatson Thanks for the prompt response.
Yes, I have configured Event logs and I can see output when I run the heartbeat query that you have mentioned. Following is the configuration for event logs - I have added everything that says "Firewall" to be safe, but it still does not help.
 If you see below, this is how the front page of Sentinel looks like:
 
Is it possible that I need to tune it on the windows firewall (on the servers) as well, so that they are sent over to Sentinel?
- CliveWatson
Logs configured as you have done, go into the Events Table
Event | summarize count() by EventLog,
Have you looked here, this is how we ask you to configure this in Sentinel? https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-firewallCliveWatson Thanks a lot.
I have now removed the collection via event-logs and have now configured Data Connector for Windows Defender Firewall with Advanced Security. Should it take some time before I see logs coming in?
Would it also help in getting the map "Potential malicious events" to get live?
Thanks for your help Clive 🙂 Much appreciated.
