How do I get windows firewall logs my workspace?

Question

How do I get windows firewall logs my workspace?

F S 0

I have a W11 endpoint, not a VM btw. I deployed AMA through Intune. AMA is running fine. My workspace is only showing Heartbeat logs for the endpoint.

I need FW logs. I made sure public, private & domain profiles are enabled on my endpoint. I made sure logging for successful & dropped packets are enabled on all profiles too. I checked my firewall logs and there are firewall logs accumulating.

I have a data connector (Windows Firewall) connected to my workspace. It shows connected and is configured properly. I originally did have the Windows Firewall Events via AMA connector and I set up a DCR for it, but the data connector is showing disconnected now.

Is there something I'm missing to get the FW logs to show in my workspace?

Sándor Tőkési 251 Reputation points

2025-03-12T06:20:57.86+00:00

1: When you say 'I originally did have the Windows Firewall Events via AMA connector and I set up a DCR for it, but the data connector is showing disconnected now.' - does this mean you have it connected and it just stopped working without you doing anything, or had you made some changed before it stopped working?

2: Can you see the data anywhere in Sentinel? Maybe they are not in their native location for any reasons that can cause the connector to show 'disconnected'.

3: You can enable the DCR diagnostic settings to see whether they create any error messages in your Sentinel.

4: Have you deployed the DCR from the connector page? If so, have you made any changes in the DCR manualy, or is it the default DCR?

5: If you go to your machine, can you see the DCR config there? I've seen some machines not downloading the DCR settings. In this case, some changes in the DCR or reassigning the DCR usually solved the problem for me.

1 answer

Your answer

Sándor Tőkési 251 Reputation points

2025-03-12T06:20:57.86+00:00

1: When you say 'I originally did have the Windows Firewall Events via AMA connector and I set up a DCR for it, but the data connector is showing disconnected now.' - does this mean you have it connected and it just stopped working without you doing anything, or had you made some changed before it stopped working?

2: Can you see the data anywhere in Sentinel? Maybe they are not in their native location for any reasons that can cause the connector to show 'disconnected'.

3: You can enable the DCR diagnostic settings to see whether they create any error messages in your Sentinel.

4: Have you deployed the DCR from the connector page? If so, have you made any changes in the DCR manualy, or is it the default DCR?

5: If you go to your machine, can you see the DCR config there? I've seen some machines not downloading the DCR settings. In this case, some changes in the DCR or reassigning the DCR usually solved the problem for me.

Answer 1

It stopped working without me doing anything. I just checked again this morning and now the Windows Firewall data connector is also disconnected. A week ago I originally installed 3 data connectors (Windows Firewall, Windows Firewall via AMA, and Windows Security Events via AMA) and it looks like only the Windows Security Events via AMA is still there. Maybe I should start troubleshooting from here first?BTW forgot to mention that everything is all new to me, so I could definitely be setting things up wrong.

Also, how do I check DCR settings on my machine?

Share via

How do I get windows firewall logs my workspace?

1 answer

Your answer