I'm monitoring IIS, Apache, RDP servers that are accessible from the Internet. The default Sentinel Overview dashboard sometimes displays a little information in the map, but so far that has been limited to one country or region at a time. Thanks to the cesspool that is the Internet, I have plenty of data pertaining to recon from all over the world. Why would the map show only one location? Or, as it is today, be blank?
Where is there query that Sentinel uses to make the map?
Maybe the time window is less than an hour...? During the past hour I had connections from IIS connection attempts from South Africa and Thailand, but none during the past 3 minutes.
@PeterSchawacker this might be too obvious, but the map it centered, so if you use your mouse to drag the view to SA or Thailand or zoom out do they show up? If not can you share your query, in case there is an issue with it?
If you click on the map (place cursor on the orange hotspot and click) you should see the query used?
For just IIS logs and as a quick test, you can use an example of:
| extend TrafficDirection = "InboundOrUnknown", Country=RemoteIPCountry, Latitude=RemoteIPLatitude, Longitude=RemoteIPLongitude
| where isnotempty(MaliciousIP)
| summarize count() by TrafficDirection, MaliciousIP , RemoteIPCountry