Giter Site home page Giter Site logo

Comments (7)

TheRealEliteOwl avatar TheRealEliteOwl commented on June 26, 2024 1

First - I was there not too long ago. Same thing - disconnected, reconnected, etc.
Quick Check:

A.) Run this query in logs ->

WindowsFirewall
| limit 50

B.) Verify that the MMA agent is installed and you are receiving logs (in general from the endpoints).

C.) Check your pfirewall log (just in case) to verify that you are accumulating data ->

C:\Windows\System32\LogFiles\Firewall

If A, B, C all checkout, with no success - Let's go rogue.

Delete your MMA (Agent)
Grab the download file here -> 64 https://go.microsoft.com/fwlink/?LinkId=828603
32 https://go.microsoft.com/fwlink/?LinkId=828604

In Azure, Go-To Security Center
Then Security Solutions
Followed by add non Azure servers.
If you have never set this up, bind it to your Azure Sentinel logs.
Install the agent with the workspace id and key.

Give a few and then check original KQL -

WindowsFirewall
| limit 50

Success?

from azure-sentinel.

DSharpPro avatar DSharpPro commented on June 26, 2024

Hi RealEliteOwl,

We found that the firewall logging wasn't enabled. We have since done so and can confirm the data is accumulating.

Can you please clarify the following in regards to going rouge:

  1. By deleting the MMA (agent) do you mean uninstall the agent?
    Step 2 > go to Security Center, do you mean the log analytics workspace? We are not currently using Security Center.

Thank you for your help so far and for pointing us in the right direction with the firewall log! We didn't know that we needed it turned on.

from azure-sentinel.

TheRealEliteOwl avatar TheRealEliteOwl commented on June 26, 2024

Ah! I can see where that is confusing.

1.) Yes, deleting the agent. Early on, it did not appear that changes to settings impacted the (prior installed) agents. In some cases, we had to uninstall them and reinstall before new data was flowing.

2.) Nope - Security Center (we don't use either), but when information was not flowing correctly, we added them to it as non-azure machines and were able to get data flowing that way.

Hope that all makes sense.

You'd think that having the MMA installed would be enough to pull all the required data (like firewall data) on its own (similar to how WDATP works), but it appears that this is not the case with this implementation or it's broken - either one.

Glad to help.

from azure-sentinel.

VAsHachiRoku avatar VAsHachiRoku commented on June 26, 2024

Same issue not getting any data

Ensured WF log is enabled for both Drop/Success for Domain/Public/Private Profiles (Default path and file name)
Uninstalled MMA
Restarted VM (WinServer2019 Azure East Asia region same RG as Log Analytics Workspace)
Azure Sentinel followed link to Install MMA agent by connecting it MMA Version is = 1.0.18001.0
Rebooted VM after MMA installation
Log Analytics Workspace is located in Southeast Asia (Same RG as VM, just different region)
Sentinel Data Connector for WF is still showing no logs received.

Did a test with Log Analytics custom logs was able to recieve the WF log file (Default location and name) and data was showing up under Custom Logs.

A.) No results returned
B.) Heartbeat query is working and other Security Events
C.) Logs are showing SENT/RECEIVED connections

Deleted/Re-connected through Azure Exention - Check
Azure Security Center no need as this is an Azure VM

from azure-sentinel.

stephenhickie avatar stephenhickie commented on June 26, 2024

Hi I'm having the same issue. I have now created a new VM, turned on Public/Domain/Private logging for connections, default name and path, and installed MMA from the Sentinel Portal. I am getting Security event data but not Firewall logs. Any other ideas? Is there something else I need to install to get this working?

from azure-sentinel.

Yaniv-Shasha avatar Yaniv-Shasha commented on June 26, 2024

Hi,

assuming your agent is healthy and you are seeing Heartbeat in the workspace.
can you try to reduce the size of the FW lof on the sample VM
https://www.howtogeek.com/220204/how-to-track-firewall-activity-with-the-windows-firewall-log/

Because the FW upload the logs to the workspace only if the logs reach to a certain size, or after 1000 activities.

Action plan:

  1. change the size of the log to small size ( single KB's )
  2. do some operation that will write to the FW lots
  3. check if the event is written to the workspace

from azure-sentinel.

shainw avatar shainw commented on June 26, 2024

Nothing recent on this issue, closing for now.

from azure-sentinel.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.