Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,242 questions
How do I get windows firewall logs my workspace?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 78%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFS%3C/text%3E%3C/svg%3E)
F S
0
Reputation points
I have a W11 endpoint, not a VM btw. I deployed AMA through Intune. AMA is running fine. My workspace is only showing Heartbeat logs for the endpoint.
I need FW logs. I made sure public, private & domain profiles are enabled on my endpoint. I made sure logging for successful & dropped packets are enabled on all profiles too. I checked my firewall logs and there are firewall logs accumulating.
I have a data connector (Windows Firewall) connected to my workspace. It shows connected and is configured properly. I originally did have the Windows Firewall Events via AMA connector and I set up a DCR for it, but the data connector is showing disconnected now.
Is there something I'm missing to get the FW logs to show in my workspace?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 94%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Sándor Tőkési 251 Reputation points2025-03-12T06:20:57.86+00:00 1: When you say 'I originally did have the Windows Firewall Events via AMA connector and I set up a DCR for it, but the data connector is showing disconnected now.' - does this mean you have it connected and it just stopped working without you doing anything, or had you made some changed before it stopped working?
2: Can you see the data anywhere in Sentinel? Maybe they are not in their native location for any reasons that can cause the connector to show 'disconnected'.
3: You can enable the DCR diagnostic settings to see whether they create any error messages in your Sentinel.
4: Have you deployed the DCR from the connector page? If so, have you made any changes in the DCR manualy, or is it the default DCR?
5: If you go to your machine, can you see the DCR config there? I've seen some machines not downloading the DCR settings. In this case, some changes in the DCR or reassigning the DCR usually solved the problem for me.
Sign in to comment
Sign in to answer