Oct 03 2020 10:14 AM
Hello,
We have MMA agent installed on 26 windows server, but we are not getting into Sentinel.
I can not see any table named "WindowsFirewall" either.
Do the tables appear when data starts pouring in, or it is now depreciated in Sentinel?
Oct 05 2020 01:17 AM
Have you told the MMA to start collecting data, the 2 ways of doing that are:
1. Look under Advanced settings, in your screen shot and add the Event Logs items you need
2. Enable a Azure Sentinel connector
Do you have any data from the Agents, if you do it should be in the Heartbeat table:
Heartbeat
| summarize count(), arg_max(TimeGenerated,*) by Computer
Oct 05 2020 01:28 AM
@CliveWatson Thanks for the prompt response.
Yes, I have configured Event logs and I can see output when I run the heartbeat query that you have mentioned. Following is the configuration for event logs - I have added everything that says "Firewall" to be safe, but it still does not help.
If you see below, this is how the front page of Sentinel looks like:
Is it possible that I need to tune it on the windows firewall (on the servers) as well, so that they are sent over to Sentinel?
Oct 05 2020 03:02 AM
Logs configured as you have done, go into the Events Table
Event
| summarize count() by EventLog
,
Have you looked here, this is how we ask you to configure this in Sentinel? https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-firewall
Oct 05 2020 03:49 AM
@CliveWatson Thanks a lot.
I have now removed the collection via event-logs and have now configured Data Connector for Windows Defender Firewall with Advanced Security. Should it take some time before I see logs coming in?
Would it also help in getting the map "Potential malicious events" to get live?
Thanks for your help Clive 🙂 Much appreciated.
Oct 05 2020 04:58 AM
That map shows up when you have data in at least one of these Tables:
union isfuzzy=true
W3CIISLog,
DnsEvents,
WireData,
WindowsFirewall,
VMConnection,
CommonSecurityLog
| summarize count() by Type