Forum Discussion
Windows Firewall logs are enabled, but they do not show up in Sentinel
CliveWatson Thanks for the prompt response.
Yes, I have configured Event logs and I can see output when I run the heartbeat query that you have mentioned. Following is the configuration for event logs - I have added everything that says "Firewall" to be safe, but it still does not help.
If you see below, this is how the front page of Sentinel looks like:
Is it possible that I need to tune it on the windows firewall (on the servers) as well, so that they are sent over to Sentinel?
Logs configured as you have done, go into the Events Table
Event
| summarize count() by EventLog,
Have you looked here, this is how we ask you to configure this in Sentinel? https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-firewall
CliveWatson Thanks a lot.
I have now removed the collection via event-logs and have now configured Data Connector for Windows Defender Firewall with Advanced Security. Should it take some time before I see logs coming in?
Would it also help in getting the map "Potential malicious events" to get live?
Thanks for your help Clive 🙂 Much appreciated.
That map shows up when you have data in at least one of these Tables:
W3CIISLogDnsEventsWireDataWindowsFirewallVMConnectionCommonSecurityLogto check:union isfuzzy=true W3CIISLog, DnsEvents, WireData, WindowsFirewall, VMConnection, CommonSecurityLog | summarize count() by Type