Data Stream not found in Data Views

sakib3833 · October 21, 2022, 5:14pm

I use Microsoft Defender Endpoint integration to collect logs. The agent installed perfectly and the other ID and secret key put accordingly.
In the Index management section it shows that it creates Data Stream.

But in Data Views section, I couldn't find the Data Stream and eventually I wasn't able to navigate any MS defender endpoint data in Discover Section.

Previously I did the same process for MS365 Defender log. That works fine.
So I am not sure what exactly the issue is. Any suggestions?
Thank you.

andrewkroh · October 27, 2022, 2:22pm

If you run this in the Dev Tool console in Kibana, do you have any indices?

GET _cat/indices/*microsoft_defender*?v

The data stream exists when the integration is setup, but the indices are not created until some data is generated. So if there are no indices yet then I would check the logs for the Agent to see if there are any errors relating to microsoft_defender.

You can check the logs for the Agent in Kibana with a query for data_stream.dataset:"elastic_agent.filebeat" .

system · November 24, 2022, 2:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.