Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows Firewall Data Connector #164

Closed
DSharpPro opened this issue May 15, 2019 · 7 comments
Closed

Windows Firewall Data Connector #164

DSharpPro opened this issue May 15, 2019 · 7 comments

Comments

@DSharpPro
Copy link

Describe the bug
Windows Firewall Logs are "not" being sent through to Sentinel after Windows Firewall connector has been configured.

To Reproduce
Steps to reproduce the behavior:

  1. Go to "Azure Sentinel"
  2. Click on "Data Connectors"
  3. Scroll down to 'Windows Firewall"

Expected behavior
Windows Firewall Events to be available under the log options:

  1. Logs
  2. Windows Firewall
  3. Run the default command > expecting to see results

Please request additional content if required.
@TheRealEliteOwl
Copy link

TheRealEliteOwl commented May 17, 2019
edited
Loading

First - I was there not too long ago. Same thing - disconnected, reconnected, etc.
Quick Check:

A.) Run this query in logs ->

WindowsFirewall
| limit 50

B.) Verify that the MMA agent is installed and you are receiving logs (in general from the endpoints).

C.) Check your pfirewall log (just in case) to verify that you are accumulating data ->

C:\Windows\System32\LogFiles\Firewall

If A, B, C all checkout, with no success - Let's go rogue.

Delete your MMA (Agent)
Grab the download file here -> 64 https://go.microsoft.com/fwlink/?LinkId=828603
32 https://go.microsoft.com/fwlink/?LinkId=828604

In Azure, Go-To Security Center
Then Security Solutions
Followed by add non Azure servers.
If you have never set this up, bind it to your Azure Sentinel logs.
Install the agent with the workspace id and key.

Give a few and then check original KQL -

WindowsFirewall
| limit 50

Success?

@DSharpPro
Copy link
Author

Hi RealEliteOwl,

We found that the firewall logging wasn't enabled. We have since done so and can confirm the data is accumulating.

Can you please clarify the following in regards to going rouge:

  1. By deleting the MMA (agent) do you mean uninstall the agent?
    Step 2 > go to Security Center, do you mean the log analytics workspace? We are not currently using Security Center.

Thank you for your help so far and for pointing us in the right direction with the firewall log! We didn't know that we needed it turned on.

@TheRealEliteOwl
Copy link

Ah! I can see where that is confusing.

1.) Yes, deleting the agent. Early on, it did not appear that changes to settings impacted the (prior installed) agents. In some cases, we had to uninstall them and reinstall before new data was flowing.

2.) Nope - Security Center (we don't use either), but when information was not flowing correctly, we added them to it as non-azure machines and were able to get data flowing that way.

Hope that all makes sense.

You'd think that having the MMA installed would be enough to pull all the required data (like firewall data) on its own (similar to how WDATP works), but it appears that this is not the case with this implementation or it's broken - either one.

Glad to help.

@VAsHachiRoku
Copy link

Same issue not getting any data

Ensured WF log is enabled for both Drop/Success for Domain/Public/Private Profiles (Default path and file name)
Uninstalled MMA
Restarted VM (WinServer2019 Azure East Asia region same RG as Log Analytics Workspace)
Azure Sentinel followed link to Install MMA agent by connecting it MMA Version is = 1.0.18001.0
Rebooted VM after MMA installation
Log Analytics Workspace is located in Southeast Asia (Same RG as VM, just different region)
Sentinel Data Connector for WF is still showing no logs received.

Did a test with Log Analytics custom logs was able to recieve the WF log file (Default location and name) and data was showing up under Custom Logs.

A.) No results returned
B.) Heartbeat query is working and other Security Events
C.) Logs are showing SENT/RECEIVED connections

Deleted/Re-connected through Azure Exention - Check
Azure Security Center no need as this is an Azure VM

@stephenhickie
Copy link

Hi I'm having the same issue. I have now created a new VM, turned on Public/Domain/Private logging for connections, default name and path, and installed MMA from the Sentinel Portal. I am getting Security event data but not Firewall logs. Any other ideas? Is there something else I need to install to get this working?

@Yaniv-Shasha
Copy link
Contributor

Yaniv-Shasha commented Aug 28, 2019
edited
Loading

Hi,

assuming your agent is healthy and you are seeing Heartbeat in the workspace.
can you try to reduce the size of the FW lof on the sample VM
https://www.howtogeek.com/220204/how-to-track-firewall-activity-with-the-windows-firewall-log/

Because the FW upload the logs to the workspace only if the logs reach to a certain size, or after 1000 activities.

Action plan:

  1. change the size of the log to small size ( single KB's )
  2. do some operation that will write to the FW lots
  3. check if the event is written to the workspace

@shainw
Copy link
Contributor

shainw commented Sep 13, 2019

Nothing recent on this issue, closing for now.

@shainw shainw closed this as completed Sep 13, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@stephenhickie @VAsHachiRoku @Yaniv-Shasha @TheRealEliteOwl @shainw @DSharpPro