-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Windows Firewall Data Connector #164
Comments
First - I was there not too long ago. Same thing - disconnected, reconnected, etc. A.) Run this query in logs -> WindowsFirewall B.) Verify that the MMA agent is installed and you are receiving logs (in general from the endpoints). C.) Check your pfirewall log (just in case) to verify that you are accumulating data -> C:\Windows\System32\LogFiles\Firewall If A, B, C all checkout, with no success - Let's go rogue. Delete your MMA (Agent) In Azure, Go-To Security Center Give a few and then check original KQL - WindowsFirewall Success? |
Hi RealEliteOwl, We found that the firewall logging wasn't enabled. We have since done so and can confirm the data is accumulating. Can you please clarify the following in regards to going rouge:
Thank you for your help so far and for pointing us in the right direction with the firewall log! We didn't know that we needed it turned on. |
Ah! I can see where that is confusing. 1.) Yes, deleting the agent. Early on, it did not appear that changes to settings impacted the (prior installed) agents. In some cases, we had to uninstall them and reinstall before new data was flowing. 2.) Nope - Security Center (we don't use either), but when information was not flowing correctly, we added them to it as non-azure machines and were able to get data flowing that way. Hope that all makes sense. You'd think that having the MMA installed would be enough to pull all the required data (like firewall data) on its own (similar to how WDATP works), but it appears that this is not the case with this implementation or it's broken - either one. Glad to help. |
Same issue not getting any data Ensured WF log is enabled for both Drop/Success for Domain/Public/Private Profiles (Default path and file name) Did a test with Log Analytics custom logs was able to recieve the WF log file (Default location and name) and data was showing up under Custom Logs. A.) No results returned Deleted/Re-connected through Azure Exention - Check |
Hi I'm having the same issue. I have now created a new VM, turned on Public/Domain/Private logging for connections, default name and path, and installed MMA from the Sentinel Portal. I am getting Security event data but not Firewall logs. Any other ideas? Is there something else I need to install to get this working? |
Hi, assuming your agent is healthy and you are seeing Heartbeat in the workspace. Because the FW upload the logs to the workspace only if the logs reach to a certain size, or after 1000 activities. Action plan:
|
Nothing recent on this issue, closing for now. |
Describe the bug
Windows Firewall Logs are "not" being sent through to Sentinel after Windows Firewall connector has been configured.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Windows Firewall Events to be available under the log options:
Please request additional content if required.
The text was updated successfully, but these errors were encountered: