Windows Firewall logs are enabled, but they do not show up in Sentinel

%3CLINGO-SUB%20id%3D%22lingo-sub-1742321%22%20slang%3D%22en-US%22%3EWindows%20Firewall%20logs%20are%20enabled%2C%20but%20they%20do%20not%20show%20up%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1742321%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20MMA%20agent%20installed%20on%2026%20windows%20server%2C%20but%20we%20are%20not%20getting%20into%20Sentinel.%3C%2FP%3E%3CP%3EI%20can%20not%20see%20any%20table%20named%20%22WindowsFirewall%22%20either.%3C%2FP%3E%3CP%3EDo%20the%20tables%20appear%20when%20data%20starts%20pouring%20in%2C%20or%20it%20is%20now%20depreciated%20in%20Sentinel%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%221.jpg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F223925i91C336EB7BA3B089%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%221.jpg%22%20alt%3D%221.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1744587%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Firewall%20logs%20are%20enabled%2C%20but%20they%20do%20not%20show%20up%20in%20Sentinel%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1744587%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F818249%22%20target%3D%22_blank%22%3E%40salkhan%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHave%20you%20told%20the%20MMA%20to%20start%20collecting%20data%2C%20the%202%20ways%20of%20doing%20that%20are%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E1.%20Look%20under%20Advanced%20settings%2C%20in%20your%20screen%20shot%20and%20add%20the%20Event%20Logs%20items%20you%20need%3C%2FP%3E%0A%3CP%3E2.%20Enable%20a%20Azure%20Sentinel%20connector%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EDo%20you%20have%20any%20data%20from%20the%20Agents%2C%20if%20you%20do%20it%20should%20be%20in%20the%20Heartbeat%20table%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-cpp%22%3E%3CCODE%3EHeartbeat%0A%7C%20summarize%20count()%2C%20arg_max(TimeGenerated%2C*)%20by%20Computer%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

 

We have MMA agent installed on 26 windows server, but we are not getting into Sentinel.

I can not see any table named "WindowsFirewall" either.

Do the tables appear when data starts pouring in, or it is now depreciated in Sentinel?

 

 
 

1.jpg

 

5 Replies
Highlighted

@salkhan 

 

Have you told the MMA to start collecting data, the 2 ways of doing that are:

 

1. Look under Advanced settings, in your screen shot and add the Event Logs items you need

2. Enable a Azure Sentinel connector

 

Do you have any data from the Agents, if you do it should be in the Heartbeat table:


 

Heartbeat
| summarize count(), arg_max(TimeGenerated,*) by Computer

 

 

Highlighted

@Clive Watson Thanks for the prompt response.

Yes, I have configured Event logs and I can see output when I run the heartbeat query that you have mentioned. Following is the configuration for event logs - I have added everything that says "Firewall" to be safe, but it still does not help. 

 

1.jpg

 If you see below, this is how the front page of Sentinel looks like:

 

1.jpg

Is it possible that I need to tune it on the windows firewall (on the servers) as well, so that they are sent over to Sentinel?  

Highlighted

@salkhan 

 

Logs configured as you have done, go into the Events Table

Event
| summarize count() by EventLog

,
Have you looked here, this is how we ask you to configure this in Sentinel? https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-firewall

Highlighted

@Clive Watson Thanks a lot.

I have now removed the collection via event-logs and have now configured Data Connector for Windows Defender Firewall with Advanced Security. Should it take some time before I see logs  coming in?

Would it also help in getting the map "Potential malicious events" to get live?

 

Thanks for your help Clive :) Much appreciated.

Highlighted

@salkhan 

 

That map shows up when you have data in at least one of these Tables:

 

W3CIISLog
DnsEvents
WireData
WindowsFirewall
VMConnection
CommonSecurityLog
 
to check:
 
union isfuzzy=true  
W3CIISLog,
DnsEvents,
WireData,
WindowsFirewall,
VMConnection,
CommonSecurityLog
| summarize count() by Type