Forum Discussion
Lack of alerts in Sentinel
Hello,
I am troubleshooting a lack of alerts and incidents in my Sentinel deployment.
When I look at the Micrsoft Defender XDR connector, I see plenty of events like DeviceEvents, DeviceInfo, IdentityLogonEvents, etc. However, the entries for:
SecurityIncident--
SecurityAlert--
AlertInfo--
AlertEvidence--
all show grey with a disconnected connector showing. I've been over the onboarding documentation several times and can't find what I'm missing.
Has anyone else experienced this who can point me in the right direction of what to check?
Thanks!
5 Replies
RayO I've been scratching my head over this same exact issue over the last 4 days. Your workspace is probably in a disconnected state on the defender side like mine was.
My fix was to go to Microsoft Defender (security.microsoft.com), go to System>Settings>Microsoft Sentinel. From here you should see all the workspaces you have configured (make sure you have access to the resources for them to appear in this list). Select the one you need and hit Connect, give it about 15-30 minutes and you should see the data start flowing in and the data type should be lit green. Sucks that there isn't any useful information that covers this specific issue but I'm hoping this works for you!
TofuY - Thanks for trying; but that was not it. Workspace was already connected.
Hello Koushandehfar,
Thanks for your reply. If I run a simple query like so:
AlertEvidence
| top 50 by TimeGenerated desc
I get no results for those tables.
I do have another environment setup where I am receiving data in those tables. The only difference in the setup is that I have 'Enable EDR in block mode' setup in that environment, which looks like its providing most of that data. It does seem like there should be additional data being received though.
The AlertEvidence table contains information about various entities—files, IP addresses, URLs, users, or devices—associated with alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity.
While you said you can see on the connectors those events/numbers, that could be not necessary implementated completely to grab those information into the table... Is that same for other tables you said? if yes and you sure have some incidents/alerts on your devices or identities, I would recommend reconfiguring the connector again to see if that fix the issue.
