Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Default Sentinel Overview dashboard widgets indicate no data. Where is the query for the map?

Brass Contributor

I'm monitoring IIS, Apache, RDP servers that are accessible from the Internet. The default Sentinel Overview dashboard sometimes displays a little information in the map, but so far that has been limited to one country or region at a time. Thanks to the cesspool that is the Internet, I have plenty of data pertaining to recon from all over the world. Why would the map show only one location? Or, as it is today, be blank?

 

Where is there query that Sentinel uses to make the map?

nodatainmap.png

 

Maybe the time window is less than an hour...? During the past hour I had connections from IIS connection attempts from South Africa and Thailand, but none during the past 3 minutes. 

 

This is what I've seen over the past 24 hours.

 

24hoursCountries.png

4 Replies

@PeterSchawacker  this might be too obvious, but the map it centered, so if you use your mouse to drag the view to SA or Thailand or zoom out do they show up?  If not can you share your query, in case there is an issue with it? 

 

If you click on the map (place cursor on the orange hotspot and click)  you should see the query used?

Annotation 2019-04-01 193055.jpg

 

For just IIS logs and as a quick test, you can use an example of:

W3CIISLog
| extend TrafficDirection = "InboundOrUnknown", Country=RemoteIPCountry, Latitude=RemoteIPLatitude, Longitude=RemoteIPLongitude  
| where isnotempty(MaliciousIP)
| summarize count() by TrafficDirection,  MaliciousIP , RemoteIPCountry  

 

Hello
I just started reading about sentinel and I would like to analyse IIS Logs in Sentinel.
What type of data connector should I use or how can I import IIS Logs ?

Thanks

@Liventus 

 

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-iis-logs

 

Enable the collection (as per the above link) and Logs will transfer from any machine that has the Log Analytics agent and IIS into the workspace, for Sentinel or Log Analytics to query.