@CliveWatsonOk, Thanks, Have made some progress with the IIS log. I am trying to get this into the Grafana Worldmap but I suppose this is another issute. Having problems with country codes and that IIS writes the full country instead of US or SE. Will try more and thanks for your response.

---

@CliveWatson wrote:

@planet4 

 

What [Data Connectors] have you added? 
https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources  

 

1. Cases (top right) needs you to have created an Alert entry in [Analytics] - see https://docs.microsoft.com/en-us/azure/sentinel/quickstart-get-visibility#create-new-detections

 

2. The map (middle bottom) needs data from at least one of these data sources:

- W3CIISLog   (enable in Log Analytics)

- Wiredata      (enable in Log Analytics)

- WindowsFirewall  (Sentinel Connector)

- CommonSecurityLog (Sentinel Connector)

- VMConnection (Enable in Log Analytics)

or DnsEvents (Sentinel Connector)

 

You can see your Data in your workspace from the Schema items

 

 

 

---

@planet4 

If you don't mind creating your own list?

W3CIISLog
| extend countrycode = case(RemoteIPCountry == "UnitedStates","US",
                            RemoteIPCountry == "United Kingdom","UK",
                            // add others here
                             "Unknown Country")
| where isnotempty(RemoteIPCountry)
| project RemoteIPCountry, countrycode