cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Windows Firewall logs are enabled, but they do not show up in Sentinel

SalmanKhan
Copper Contributor

‎Oct 03 2020 10:14 AM

‎Oct 03 2020 10:14 AM

Windows Firewall logs are enabled, but they do not show up in Sentinel

Hello,

 

We have MMA agent installed on 26 windows server, but we are not getting into Sentinel.

I can not see any table named "WindowsFirewall" either.

Do the tables appear when data starts pouring in, or it is now depreciated in Sentinel?

 

 
 

1.jpg

 

6,399 Views
0 Likes
5 Replies
Reply
5 Replies
CliveWatson

‎Oct 05 2020 01:17 AM

‎Oct 05 2020 01:17 AM

Re: Windows Firewall logs are enabled, but they do not show up in Sentinel

@SalmanKhan 

 

Have you told the MMA to start collecting data, the 2 ways of doing that are:

 

1. Look under Advanced settings, in your screen shot and add the Event Logs items you need

2. Enable a Azure Sentinel connector

 

Do you have any data from the Agents, if you do it should be in the Heartbeat table:


 

Heartbeat
| summarize count(), arg_max(TimeGenerated,*) by Computer

 

 

0 Likes
Reply
SalmanKhan

‎Oct 05 2020 01:28 AM

‎Oct 05 2020 01:28 AM

Re: Windows Firewall logs are enabled, but they do not show up in Sentinel

@CliveWatson Thanks for the prompt response.

Yes, I have configured Event logs and I can see output when I run the heartbeat query that you have mentioned. Following is the configuration for event logs - I have added everything that says "Firewall" to be safe, but it still does not help. 

 

1.jpg

 If you see below, this is how the front page of Sentinel looks like:

 

1.jpg

Is it possible that I need to tune it on the windows firewall (on the servers) as well, so that they are sent over to Sentinel?  

0 Likes
Reply
CliveWatson

‎Oct 05 2020 03:02 AM

‎Oct 05 2020 03:02 AM

Re: Windows Firewall logs are enabled, but they do not show up in Sentinel

@SalmanKhan 

 

Logs configured as you have done, go into the Events Table

Event
| summarize count() by EventLog

,
Have you looked here, this is how we ask you to configure this in Sentinel? https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-firewall

0 Likes
Reply
SalmanKhan

‎Oct 05 2020 03:49 AM

‎Oct 05 2020 03:49 AM

Re: Windows Firewall logs are enabled, but they do not show up in Sentinel

@CliveWatson Thanks a lot.

I have now removed the collection via event-logs and have now configured Data Connector for Windows Defender Firewall with Advanced Security. Should it take some time before I see logs  coming in?

Would it also help in getting the map "Potential malicious events" to get live?

 

Thanks for your help Clive :) Much appreciated.

0 Likes
Reply
CliveWatson

‎Oct 05 2020 04:58 AM

‎Oct 05 2020 04:58 AM

Re: Windows Firewall logs are enabled, but they do not show up in Sentinel

@SalmanKhan 

 

That map shows up when you have data in at least one of these Tables:

 

W3CIISLog
DnsEvents
WireData
WindowsFirewall
VMConnection
CommonSecurityLog
 
to check:
 
union isfuzzy=true  
W3CIISLog,
DnsEvents,
WireData,
WindowsFirewall,
VMConnection,
CommonSecurityLog
| summarize count() by Type
0 Likes
Reply