Forum Discussion
Windows Firewall logs are enabled, but they do not show up in Sentinel
Have you told the MMA to start collecting data, the 2 ways of doing that are:
1. Look under Advanced settings, in your screen shot and add the Event Logs items you need
2. Enable a Azure Sentinel connector
Do you have any data from the Agents, if you do it should be in the Heartbeat table:
Heartbeat
| summarize count(), arg_max(TimeGenerated,*) by Computer
CliveWatson Thanks for the prompt response.
Yes, I have configured Event logs and I can see output when I run the heartbeat query that you have mentioned. Following is the configuration for event logs - I have added everything that says "Firewall" to be safe, but it still does not help.
 If you see below, this is how the front page of Sentinel looks like:
 
Is it possible that I need to tune it on the windows firewall (on the servers) as well, so that they are sent over to Sentinel?
- CliveWatsonOct 05, 2020Microsoft
Logs configured as you have done, go into the Events Table
Event | summarize count() by EventLog
,
Have you looked here, this is how we ask you to configure this in Sentinel? https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-firewall- SalmanKhanOct 05, 2020Copper Contributor
CliveWatson Thanks a lot.
I have now removed the collection via event-logs and have now configured Data Connector for Windows Defender Firewall with Advanced Security. Should it take some time before I see logs coming in?
Would it also help in getting the map "Potential malicious events" to get live?
Thanks for your help Clive 🙂 Much appreciated.
- CliveWatsonOct 05, 2020Microsoft
That map shows up when you have data in at least one of these Tables:
W3CIISLogDnsEventsWireDataWindowsFirewallVMConnectionCommonSecurityLogto check:union isfuzzy=true W3CIISLog, DnsEvents, WireData, WindowsFirewall, VMConnection, CommonSecurityLog | summarize count() by Type