Forum Discussion

planet4's avatar
planet4
Copper Contributor
Apr 24, 2019

No data was found

I activated sentinel yesterday but get no data was found like in the image below. Is there anything I have missed?

 

3 Replies

  • CliveWatson's avatar
    CliveWatson
    Former Employee
    Apr 24, 2019

    planet4 

     

    What [Data Connectors] have you added? 
    https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources  

     

    1. Cases (top right) needs you to have created an Alert entry in [Analytics] - see https://docs.microsoft.com/en-us/azure/sentinel/quickstart-get-visibility#create-new-detections

     

    2. The map (middle bottom) needs data from at least one of these data sources:

    - W3CIISLog   (enable in Log Analytics)

    - Wiredata      (enable in Log Analytics)

    - WindowsFirewall  (Sentinel Connector)

    - CommonSecurityLog (Sentinel Connector)

    - VMConnection (Enable in Log Analytics)

    or DnsEvents (Sentinel Connector)

     

    You can see your Data in your workspace from the Schema items

     

     

     

    • planet4's avatar
      planet4
      Copper Contributor
      Apr 25, 2019

      CliveWatsonOk, Thanks, Have made some progress with the IIS log. I am trying to get this into the Grafana Worldmap but I suppose this is another issute. Having problems with country codes and that IIS writes the full country instead of US or SE. Will try more and thanks for your response.

      CliveWatson wrote:

      planet4 

       

      What [Data Connectors] have you added? 
      https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources 

       

      1. Cases (top right) needs you to have created an Alert entry in [Analytics] - see https://docs.microsoft.com/en-us/azure/sentinel/quickstart-get-visibility#create-new-detections

       

      2. The map (middle bottom) needs data from at least one of these data sources:

      - W3CIISLog   (enable in Log Analytics)

      - Wiredata      (enable in Log Analytics)

      - WindowsFirewall  (Sentinel Connector)

      - CommonSecurityLog (Sentinel Connector)

      - VMConnection (Enable in Log Analytics)

      or DnsEvents (Sentinel Connector)

       

      You can see your Data in your workspace from the Schema items

       

       

       



      • CliveWatson's avatar
        CliveWatson
        Former Employee
        Apr 25, 2019

        planet4 

         

        If you don't mind creating your own list?

         

        W3CIISLog
| extend countrycode = case(RemoteIPCountry == "UnitedStates","US",
                            RemoteIPCountry == "United Kingdom","UK",
                            // add others here
                             "Unknown Country")
| where isnotempty(RemoteIPCountry)
| project RemoteIPCountry, countrycode