Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

SecurityAlert (MDATP) showing disable and we are not receiving logs In sentinel from M365 Defender

Copper Contributor

We have tried every possible way but still we are unable to receive any logs after connecting the data connector in sentinel for microsoft defender 365 .  SecurityAlert (MDATP) is showing disable . so how we get out of this situation

17 Replies
which connector are you using to connect MDE to Sentinel ?
we are using microsoft 365 defender , we ahave also tried microsoft defender for endpoint but both in vain and not receiving any logs

@Humza_Bukhari did you check the connector settings as below and if you have the right permissions in the workspace? 

eliekarkafy_0-1695404276682.png

 

yes i have already check the connector setting but as i said earlier its is showing disable and greyed out .

have your tried to trigger an alert from MDE and see if the signal will be turned out to green ? also have you activate the analytic rule related to MDE to ingest the logs to sentinel ?

@eliekarkafy  yes as you can see i have already created this but unfortunately didnt get any logs . i have tried every possible way but all in vain

Humza_Bukhari_0-1695405071243.png

 

@Humza_Bukhari did you verified the permissions as well? 

eliekarkafy_1-1695405647625.png

 

try to run the below query on your analytic workspace to see if there is any logs ingested from defender 

 

let Now = now();
(range TimeGenerated from ago(14d) to Now-1d step 1d
| extend Count = 0
| union isfuzzy=true (
SecurityIncident
| where ProviderName == "Microsoft 365 Defender"
| summarize Count = count() by bin_at(TimeGenerated, 1d, Now)
)
| summarize Count=max(Count) by bin_at(TimeGenerated, 1d, Now)
| sort by TimeGenerated
| project Value = iff(isnull(Count), 0, Count), Time = TimeGenerated, Legend = "Events")
| render timechart

 

 

@eliekarkafy  yes i have verified the permissions i have . plus this is what i get response by running this query which you provide .

Humza_Bukhari_0-1695405976040.png

 

@Humza_Bukhari ok let's do this exercise, from one of your devices onboarded to MDE create a malicious test file using the below link, save it as EICAR.com on the desktop and let MDE catch it and remediate it and check the alerts in the portal and keep an eye at the same time in Sentinel to see if this will trigger the signal 

 

How to Create a Malicious Test File (EICAR) - Carbon Black Community

okay i have tried this , lets c what happened and will update you

@eliekarkafy  hi bro, i have configured and connect the data connector of defender with microsoft sentinel but i am still unable to receive these data 

Humza_Bukhari_0-1695687234350.png

 

Please guide me how can i get these logs into the sentinel.
if you configured and checked all the above option and you triggered an alert and still no data ingested to sentinel to MDE , than you have something wrong in the backend and the only way is to contact the Microsoft security support team to check your tenant

Hi @eliekarkafy 

I have the same issue but the given command gives me the following response.

LauriK000_0-1697601829115.png

 

@LauriK000 thats means you have data ingested to the your analytics workspace through the connector . did you try to simulate an alert in MDE to check if your will get an incident created in MDE ? Dont forget to enable the Analytic rule to trigger incidents