10-03-2020 10:14 AM
10-03-2020 10:14 AM
We have MMA agent installed on 26 windows server, but we are not getting into Sentinel.
I can not see any table named "WindowsFirewall" either.
Do the tables appear when data starts pouring in, or it is now depreciated in Sentinel?
10-05-2020 01:17 AM
Have you told the MMA to start collecting data, the 2 ways of doing that are:
1. Look under Advanced settings, in your screen shot and add the Event Logs items you need
2. Enable a Azure Sentinel connector
Do you have any data from the Agents, if you do it should be in the Heartbeat table:
Heartbeat | summarize count(), arg_max(TimeGenerated,*) by Computer
10-05-2020 01:28 AM
@Clive Watson Thanks for the prompt response.
Yes, I have configured Event logs and I can see output when I run the heartbeat query that you have mentioned. Following is the configuration for event logs - I have added everything that says "Firewall" to be safe, but it still does not help.
If you see below, this is how the front page of Sentinel looks like:
Is it possible that I need to tune it on the windows firewall (on the servers) as well, so that they are sent over to Sentinel?
10-05-2020 03:02 AM
Logs configured as you have done, go into the Events Table
Event | summarize count() by EventLog
Have you looked here, this is how we ask you to configure this in Sentinel? https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-firewall
10-05-2020 03:49 AM
@Clive Watson Thanks a lot.
I have now removed the collection via event-logs and have now configured Data Connector for Windows Defender Firewall with Advanced Security. Should it take some time before I see logs coming in?
Would it also help in getting the map "Potential malicious events" to get live?
Thanks for your help Clive :) Much appreciated.
10-05-2020 04:58 AM
That map shows up when you have data in at least one of these Tables:
union isfuzzy=true W3CIISLog, DnsEvents, WireData, WindowsFirewall, VMConnection, CommonSecurityLog | summarize count() by Type