Data Stream not found in Data Views

sakib3833 · October 21, 2022, 5:14pm

I use Microsoft Defender Endpoint integration to collect logs. The agent installed perfectly and the other ID and secret key put accordingly.
In the Index management section it shows that it creates Data Stream.

But in Data Views section, I couldn't find the Data Stream and eventually I wasn't able to navigate any MS defender endpoint data in Discover Section.

Previously I did the same process for MS365 Defender log. That works fine.
So I am not sure what exactly the issue is. Any suggestions?
Thank you.

andrewkroh · October 27, 2022, 2:22pm

If you run this in the Dev Tool console in Kibana, do you have any indices?

GET _cat/indices/*microsoft_defender*?v

The data stream exists when the integration is setup, but the indices are not created until some data is generated. So if there are no indices yet then I would check the logs for the Agent to see if there are any errors relating to microsoft_defender.

You can check the logs for the Agent in Kibana with a query for data_stream.dataset:"elastic_agent.filebeat" .

system · November 24, 2022, 2:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Index not found in Logs Elasticsearch	3	169	January 30, 2024
Integrate Microsoft Defender with Elastic Elastic Security	3	225	April 24, 2024
Elastic agent shows healthy (Also no error messages in Logs) in Kibana but fails to send data to elastic search Endpoint Security	6	3141	June 2, 2022
ElasticAgent not creating new index Elastic Agent	2	191	November 15, 2023
Datafeed [datafeed-packetbeat_dns_tunneling] cannot retrieve data because no index matches datafeed's indices [packetbeat-*] Kibana elastic-stack-machine-learning	16	499	July 10, 2023

Data Stream not found in Data Views

Related Topics