Comments (7)
First - I was there not too long ago. Same thing - disconnected, reconnected, etc.
Quick Check:
A.) Run this query in logs ->
WindowsFirewall
| limit 50
B.) Verify that the MMA agent is installed and you are receiving logs (in general from the endpoints).
C.) Check your pfirewall log (just in case) to verify that you are accumulating data ->
C:\Windows\System32\LogFiles\Firewall
If A, B, C all checkout, with no success - Let's go rogue.
Delete your MMA (Agent)
Grab the download file here -> 64 https://go.microsoft.com/fwlink/?LinkId=828603
32 https://go.microsoft.com/fwlink/?LinkId=828604
In Azure, Go-To Security Center
Then Security Solutions
Followed by add non Azure servers.
If you have never set this up, bind it to your Azure Sentinel logs.
Install the agent with the workspace id and key.
Give a few and then check original KQL -
WindowsFirewall
| limit 50
Success?
from azure-sentinel.
Hi RealEliteOwl,
We found that the firewall logging wasn't enabled. We have since done so and can confirm the data is accumulating.
Can you please clarify the following in regards to going rouge:
- By deleting the MMA (agent) do you mean uninstall the agent?
Step 2 > go to Security Center, do you mean the log analytics workspace? We are not currently using Security Center.
Thank you for your help so far and for pointing us in the right direction with the firewall log! We didn't know that we needed it turned on.
from azure-sentinel.
Ah! I can see where that is confusing.
1.) Yes, deleting the agent. Early on, it did not appear that changes to settings impacted the (prior installed) agents. In some cases, we had to uninstall them and reinstall before new data was flowing.
2.) Nope - Security Center (we don't use either), but when information was not flowing correctly, we added them to it as non-azure machines and were able to get data flowing that way.
Hope that all makes sense.
You'd think that having the MMA installed would be enough to pull all the required data (like firewall data) on its own (similar to how WDATP works), but it appears that this is not the case with this implementation or it's broken - either one.
Glad to help.
from azure-sentinel.
Same issue not getting any data
Ensured WF log is enabled for both Drop/Success for Domain/Public/Private Profiles (Default path and file name)
Uninstalled MMA
Restarted VM (WinServer2019 Azure East Asia region same RG as Log Analytics Workspace)
Azure Sentinel followed link to Install MMA agent by connecting it MMA Version is = 1.0.18001.0
Rebooted VM after MMA installation
Log Analytics Workspace is located in Southeast Asia (Same RG as VM, just different region)
Sentinel Data Connector for WF is still showing no logs received.
Did a test with Log Analytics custom logs was able to recieve the WF log file (Default location and name) and data was showing up under Custom Logs.
A.) No results returned
B.) Heartbeat query is working and other Security Events
C.) Logs are showing SENT/RECEIVED connections
Deleted/Re-connected through Azure Exention - Check
Azure Security Center no need as this is an Azure VM
from azure-sentinel.
Hi I'm having the same issue. I have now created a new VM, turned on Public/Domain/Private logging for connections, default name and path, and installed MMA from the Sentinel Portal. I am getting Security event data but not Firewall logs. Any other ideas? Is there something else I need to install to get this working?
from azure-sentinel.
Hi,
assuming your agent is healthy and you are seeing Heartbeat in the workspace.
can you try to reduce the size of the FW lof on the sample VM
https://www.howtogeek.com/220204/how-to-track-firewall-activity-with-the-windows-firewall-log/
Because the FW upload the logs to the workspace only if the logs reach to a certain size, or after 1000 activities.
Action plan:
- change the size of the log to small size ( single KB's )
- do some operation that will write to the FW lots
- check if the event is written to the workspace
from azure-sentinel.
Nothing recent on this issue, closing for now.
from azure-sentinel.
Related Issues (20)
- Terraform, AZAPI, Microsoft.SecurityInsights/alertRules, ThreatIntelligence rule HOT 3
- Does Sentinel support AWS VPC Flos Logs with PerHourPartition enabled HOT 3
- Error while clicking Manage button from the already installed BitSight solution under the Content Hub HOT 5
- AWS connector script to create a bucket fails on tags on PWSH on macOS HOT 4
- Training Lab guide fails with error to deploy metadata HOT 8
- No hundredth in "authenticationStepDateTime" for "MFA denied; user did not select the correct number" Status HOT 8
- Detections/SigninLogs/AuthenticationAttemptFromNewCountry.yaml False Positives HOT 5
- Forcepoint DLP connector for Microsoft Sentinel - Not working as mentioned in documentation HOT 7
- UserAccountAddedToPrivlegeGroup_1h HOT 1
- Parser's metadata deployment in error when parser already exist for another solution HOT 12
- Oracle Cloud Infrastructure and Python 3.8 End of Support HOT 9
- Oracle Database Auditor: Workbooks with not results HOT 3
- Pricing details from Sentinel Azure monitoring alerts HOT 4
- Unable to install ZeroFox Marketplace Application from marketplace HOT 11
- 'Cisco ASA/FTD via AMA (Preview)' does not seem to be picking up Cisco FTD events from Syslog table HOT 9
- Typo in folder name: Azure-Sentinel/Parsers/SQLSever HOT 2
- Typo in workbook: Azure-Sentinel/Solutions/Microsoft Defender XDR/Workbooks/MicrosoftDefenderForIdentity.json HOT 5
- Impossible to install Microsoft Defender for Cloud connector HOT 9
- Cloudflare Connector runs too long and causes error HOT 1
- Sentinel Workbook description. HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from azure-sentinel.