Sep 22 2023 09:55 AM
We have tried every possible way but still we are unable to receive any logs after connecting the data connector in sentinel for microsoft defender 365 . SecurityAlert (MDATP) is showing disable . so how we get out of this situation
Sep 22 2023 10:29 AM
Sep 22 2023 10:31 AM
Sep 22 2023 10:38 AM
@Humza_Bukhari did you check the connector settings as below and if you have the right permissions in the workspace?
Sep 22 2023 10:41 AM
Sep 22 2023 10:42 AM
Sep 22 2023 10:45 AM - edited Sep 22 2023 10:47 AM
have your tried to trigger an alert from MDE and see if the signal will be turned out to green ? also have you activate the analytic rule related to MDE to ingest the logs to sentinel ?
Sep 22 2023 10:52 AM
@eliekarkafy yes as you can see i have already created this but unfortunately didnt get any logs . i have tried every possible way but all in vain
Sep 22 2023 11:03 AM
@Humza_Bukhari did you verified the permissions as well?
try to run the below query on your analytic workspace to see if there is any logs ingested from defender
let Now = now();
(range TimeGenerated from ago(14d) to Now-1d step 1d
| extend Count = 0
| union isfuzzy=true (
SecurityIncident
| where ProviderName == "Microsoft 365 Defender"
| summarize Count = count() by bin_at(TimeGenerated, 1d, Now)
)
| summarize Count=max(Count) by bin_at(TimeGenerated, 1d, Now)
| sort by TimeGenerated
| project Value = iff(isnull(Count), 0, Count), Time = TimeGenerated, Legend = "Events")
| render timechart
Sep 22 2023 11:07 AM
@eliekarkafy yes i have verified the permissions i have . plus this is what i get response by running this query which you provide .
Sep 22 2023 11:12 AM - edited Sep 22 2023 11:12 AM
@Humza_Bukhari ok let's do this exercise, from one of your devices onboarded to MDE create a malicious test file using the below link, save it as EICAR.com on the desktop and let MDE catch it and remediate it and check the alerts in the portal and keep an eye at the same time in Sentinel to see if this will trigger the signal
How to Create a Malicious Test File (EICAR) - Carbon Black Community
Sep 22 2023 11:15 AM
Sep 25 2023 05:15 PM
@eliekarkafy hi bro, i have configured and connect the data connector of defender with microsoft sentinel but i am still unable to receive these data
Sep 25 2023 05:16 PM
Sep 26 2023 01:40 AM
Sep 26 2023 06:38 AM
Oct 17 2023 09:04 PM
Oct 18 2023 02:48 AM
@LauriK000 thats means you have data ingested to the your analytics workspace through the connector . did you try to simulate an alert in MDE to check if your will get an incident created in MDE ? Dont forget to enable the Analytic rule to trigger incidents